HIPAA Core Policy: Information Security and Privacy Incident Response

HIPAA Core Policy: Information Security and Privacy Incident Response

This policy establishes the coordination of UAB's response to information security and privacy incidents to enable quicker remediation, information gathering, and reporting of infrastructure-affecting HIPAA security- and privacy-related events.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: This policy establishes the coordination of UAB's response to information security and privacy incidents to enable quicker remediation, information gathering, and reporting of infrastructure-affecting HIPAA security and privacy related events.

2. PHILOSOPHY: It is UAB's position that, in order to protect the integrity, availability, and confidentiality of business information including protected health information (PHI), systems, and applications, proper policies and procedures must be in place to comply with various legal requirements.

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Office of Benefits, and other UAB entities that may be added from time to time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation owned and operated clinics, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as “UAB.”


4.1. Definitions: 

4.1.1. Network service department: A group such as Health System Information Services or UAB Network Services that is responsible for maintaining network infrastructure.

4.1.2. Malicious code: Any program that is intended to circumvent security measures, destroy data, collect data for unauthorized third parties, or propagate data onto another system, i.e., exploits, viruses, worms, spyware.

4.1.3. Computer and network abuse: The use of resources in a manner inconsistent  with the UAB/UABHS policy.

4.1.4. Incident notification: The initial discovery of suspected security event. Note that notification occurs when logs are viewed rather than when they are initially logged.

4.1.5. Compromised system: Any entity computing or network resource that is performing actions on behalf of an unauthorized user, i.e., spyware, viruses, stolen passwords.

4.1.6. IT security incident: Any activity that harms or represents a serious threat to the whole or part of UAB's computer, telephone, and/or network-based resources such that there is an absence or interruption of services.  A security incident also includes unauthorized changes to hardware, firmware, software, or data, unauthorized sensitive or PHI data disclosure, change or deletion of PHI and any actions of a criminal nature.

4.1.7. Privacy incident: Suspected breaches of confidentiality of PHI.

4.1.8. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium.  PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.9. Sensitive information or data:  Any information that may only be accessed by authorized personnel.  It includes Protected Health Information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled. 


5.1. The appropriate network service department may disable network access in order to mitigate exposure from incidents.
5.1.1. The HIPAA Security Officer or the UAB IT Data Security Office may request that network access be disabled.
5.1.2. The HIPAA Security Officer or the UAB IT Data Security Office shall approve restoration of network access.

5.2. Network Servcice Department Responsibilities

5.2.1. Document the incident with the appropriate incident tracking system.

5.2.2. Enable and disable network ports in covered entities in coordination with the HIPAA Information Security Office or the UAB IT Data Security Office.

5.3 Help Desk Responsibilities

5.3.1. The help desk shall document all reported incidents.

5.3.2. The help desk shall enact the appropriate incident response procedures including contacting appropriate system administrators and information/data security office, the UAB HIPAA Security Officer, and the UABHS HIPAA Privacy Security Officer.

5.3.3. Regarding security incident, compromised systems, denial of service attacks, threats, or illegal activity shall be addressed within 4 hours of receiving incident notification, i.e., disconnect from network, virus removal, data security notification.  Note that this involves contacting appropriate system or network administrators.

5.3.4. Other acts of computer and network abuse shall be addressed as soon as possible after receigving the incident notification.

5.4. Responsibilities of All Workforce Members

5.4.1. Learn, understand, and practice information security and privacy.

5.4.2. Understand and comply with information security and privacy policies.

5.4.3. Follow aprropriate information security and privacy incident procedures.

5.4.4. Report suspected privacy and information security incidents.

5.4.5. Cooperate wit incident response investigations and resolutions.

5.4.6. Provide documentation of actions taken to address incidents.

5.5. Management Responsibilities

5.5.1. Report suspected privacy and security incidents.

5.5.2. Ensure workforce members are trained in incident response procedures appropriate for their roles.

5.5.3. Cooperate witn incident response investigations and resolutions.

5.5.4. Ensure workforce members report suspected incidents.

5.6. System Administrator Responsibilities with a security incident.

5.6.1. Ensure incident documentation with the appropriate incident tracking system.

5.6.2. Change all system passwords after any incident involving compromised systems or the system administrator's user account after the appropriate incident response.

5.6.3. Cooperate witn incident response investigations and resolutions.

5.6.4. Provide documentation of actions taken to address incidents.

5.6.5. Monitor system logs at least once every business day to detent computer and network abuse.

5.6.6. Ensure that systems are secure prior to reconnecting to the network (i.e., cleaning viruses, restoration from backup, reinstallation, application of security patches).

5.7. Entity Privacy Coordinator Responsibilities

5.7.1. Serve as entity's primary privacy resource,

5.7.2. Follow information privacy incident procedures,

5.7.3. Investigate information privacy incidents,

5.7.4. Request audit trails,

5.7.5. Contact the proper areas regarding incidents,

5.7.6. Complete incident reports and distribute to appropriate parties,

5.7.7. Document and distribute the privacy incident resolutions within a timely manner, and

5.7.8. Track privacy incidents via the Request Tracking Spreadsheet.

5.8. Entity Security Coordinator Respopnsibilities

5.8.1. Serve as entity's primary security contact and information resource.

5.8.2. Follow information security incident procedures.

5.8.3. Investigate information security incidents.

5.8.4. Contact the proper areas regarding incidents.

5.8.5. Complete incident reports and distribute to the appropriate parties.

5.8.6. Report security incidents to the UAB HIPAA Security Officer.

5.8.7. Document the security incident resolutions.

5.9. HIPAA Security Office Responsibilities

5.9.1. Maintain incident response procedures.

5.9.2. Conduct investigations on security incidents in coordination with appropriate personnel.

5.9.3. Maintain an incident tracking system that includes incident details and outcomes and stores incident logs for a period of no less than six years.

5.9.4. Coordinate incident response activities across organizational boundaries.

5.9.5. Reassess preventative and detective controls for systems following a security incident in coordination with the appropriate personnel.

5.10. HIPAA Privacy Officer Responsibilities

5.10.1. Manage UAB/UABHS HIPAA Compliance Privacy Complaint, Incident Response, and Breach Notification Procedure.

5.10.2. Maintain the incident log and incident details and outcomes related to the above for a period of no less than six years.

5.11. Any member of the workforce of a UAB/UABHS covered entity, as stated in Section 3 of this policy, who does not follow the above policies may be subject to disciplinary action up to and including termination of employment or assignment.

5.12. Vendor or contractors who do not follow the above standards may be subject to breach of contract penalties. 

5.13. Suspected incidents shall be reported to one of the following: 

5.13.1. Managers or supervisors

5.13.2. Entity Privacy or Security Coordinators

5.13.3. Entity Compliance Office

5.13.4. Incident report through the UABHS Security website

5.13.5. HSIS Help Desk at 934-8888 

5.13.6. AskIT Help Desk at 996-5555 

5.14. CONTACTS:  For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.14.1. Your departmental HIPAA Entity Privacy or Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators and http://www.hipaa.uab.edu/index.php/committees/2-uncategorised/55-entity-privacy-coordinators%20).

5.14.2. The HSIS Help Desk at 934-8888.

5.14.3. The UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.14.4. UAB HIPAA Security Office at 996-3328.

5.14.5. UABHS Privacy Officer at 996-5051.

7. SCOPE: This policy applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI. 
To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.