1. PURPOSE: To establish policy for contingency planning for information systems that contain, maintain, or transmit ePHI or other sensitive information. 

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise  Covered Entities shall be collectively referred to as “UAB.”

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Business Associate (BA): A person or entity (other than an employee of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB Covered Entity. A Business Associate of one UAB Covered Entity does not become a Business Associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.
4.1.2. Business Associate Agreement: A legal agreement between UAB and the Business Associate that outlines how the Business Associate will protect the PHI that they store, process, or transmit on behalf of UAB. This is an additional document separate from the contract.
4.1.3. Downtime is any time a supported information technology system or network critical to patient care or business operations is partially or totally unavailable for use.
4.1.4. Backup procedure: A detailed step-by-step method for saving data and, if appropriate storing it securely offsite that includes hardware, software, and configuration information. 
4.1.5. Downtime procedure: A detailed step-by-step workflow description that ensures continuity of the business and the security of data for use in a recovery procedure. This is equivalent to an emergency mode operation plan.
4.1.6. Contingency plan: A set of strategies that coordinates processes and procedures for the continuance of patient care and business operations in the event of computer system or network downtime and recovery of information systems containing ePHI or other sensitive information following an emergency or disruptive event.
4.1.7. Disaster recovery plan: The combination of a recovery procedure and a restoration procedure following computer system or network downtime.
4.1.8. Restoration procedure: A detailed step-by-step method for recovering a computer system or network from backup media. It shall also include details on necessary hardware, software, licensing keys, and system information.
4.1.9. Recovery procedure: A detailed step-by-step method for recovering data or transactions that occur during a system downtime.
4.1.10. Recovery time: The amount of time that it takes to restore information systems to normal operations following a disaster. This includes the amount of time it would take for vendors to replace hardware, installation time, restoration from backup, and the implementation of the recovery procedure.
4.1.11. Secure offsite location: A physically and environmentally safe storage area that is separated from where the originating information systems reside.
4.1.12. Sensitive Information: Any information that should only be accessed by authorized personnel. It includes protected health information (PHI), personally identifiable information (PII), financial information, personnel and student data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB/ UAB Covered Entities inappropriately handled or lost.

5. POLICY:

5.1. A contingency/disaster recovery plan shall be developed and published for every in-scope system used in each patient care and business operations area.

5.1.1. The operational area shall develop downtime procedures in conjunction with other departments that maintain information systems.
5.1.2. The procedures shall address downtime events.
5.1.3. Contingency plans should include support from external vendors and business associates as defined in the business associate agreement/contract where necessary.
5.1.4.The procedure shall be reviewed periodically and updated as business practices change within the operational area. 

5.2. All system users shall be trained on downtime procedures so that they know how to respond appropriately and in a timely manner in the event of actual downtime. NOTE: Downtime procedures should be reviewed before a downtime is experienced.
5.3. All downtime procedures shall be published and available within the individual entity.
5.4. The entity contingency plan shall be reviewed by the appropriate management periodically and whenever significant system changes are implemented.
5.5. All downtime procedures shall be tested for accuracy and ease-of-use prior to publication and periodically.
5.6. All downtime procedure tests shall be documented.
5.7. All downtime procedures shall be reviewed and approved by the affected management prior to publication.
5.8. Systems that contain sensitive data shall be backed up at least once per business day. Backup media should be encrypted where possible and securely stored (onsite or offsite) at all times. The backup shall contain the sensitive data and all necessary software required to process the data.

5.8.1. Full backups to support business operations and recovery shall be maintained at all times.
5.8.2. A restoration procedure must be able to restore the system to a state as specified by the recovery objectives.

5.9. An entity's contingency/disaster plan will be kept in multiple locations including the covered area and one copy with leadership of the area.
 

5.10. HIPAA Information Security Office (UAB Medicine Enterprise Information Security Office) Responsibilities

5.10.1. Provide guidance on appropriate security measures.
5.10.2. Provide assistance drafting/reviewing policies.

5.11. User Responsibilities

5.11.1. Ensure that sensitive information is stored in a directory on a secure network file server and not on individual workstations.

5.12. System Administrator Responsibilities

5.12.1. Document vendor contacts (with approved BAA), system configuration, backup procedures, and restoration procedures including required hardware and software for inclusion in the entity’s contingency plan.
5.12.2. Provide notification to management on any system backup failure, i.e., a backup process failed to complete as scheduled.

5.13. Management responsibilities

5.13.1. Ensure that appropriate resources are assigned for contingency efforts and users are trained on downtime procedures.
5.13.2. Ensure that the contingency plan is tested and reviewed as needed.
5.13.3. Ensure that the contingency plan is updated as business procedures change or following an activation of the contingency plan.
5.13.4. Ensure creation, maintenance, and adherence to core policies and procedures including:

5.13.4.1.  Emergency contact lists that include managers and system administrators
5.13.4.2.  Critical system inventory and configuration
5.13.4.3.  Vendor contact lists (i.e. hardware, software, forms, supplies)
5.13.4.4.  Alternative working procedures for all critical business functions
5.13.4.5.  Backup procedures
5.13.4.6.  Restoration procedures
5.13.4.7.  Recovery procedures
5.13.4.8.  Testing procedures
5.13.4.9.  Revision procedures

5.13.5. Ensure that all published procedures, test results, and other documentary evidence shall be archived for no less than six years.

5.14. Entity Security Coordinator responsibilities

5.14.1. Maintain entity contingency plan including:

5.14.1.1. Emergency contact lists that include managers and system administrators
5.14.1.2. Critical system inventory and configuration
5.14.1.3. Vendor contact lists (i.e. hardware, software, forms, supplies) 
5.14.1.4. Alternative working procedures for all critical business functions
5.14.1.5. Backup procedures
5.14.1.6. Restoration procedures
5.14.1.7. Recovery procedures
5.14.1.8. Testing procedures
5.14.1.9. Revision procedures.

5.14.2. Collect updates to entity contingency plan from entity system administrators.
5.14.3. Ensure that recovery time and contingency plan are reviewed and approved by the affected management. Note that contingency planning may cross standard departmental boundaries.
5.14.4. Periodically test the contingency plan including contacting vendors, to ensure replacement system availability.
5.14.5. Provide the HIPAA Information Security Office with an updated entity contingency plan if/when revised.

5.15. Violations of these policies may result in disciplinary action, up to and including, termination of employment or assignment. 

6. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

6.1. Your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators
6.2. HSIS Help Desk at 205-934-8888
6.3. UAB IT AskIT Help Desk at 205-996-5555 or askit@uab.edu
6.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or 205-975-1440
6.5. UAB IT Information Security line at 205-975-0842

7. REFERENCES: None

8. SCOPE: This policy applies to all UAB entities covered under HIPAA and their systems that maintain ePHI.

9. ATTACHMENTS: None