1. PURPOSE: To establish policy for the coordination of UAB's response to HIPAA information security and privacy incidents. This will enable more efficient remediation, information gathering, and reporting of HIPAA security and privacy related events.

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. ASSOCIATED INFORMATION:

3.1.1 Information Security incident:  Any event or series of events that violates or threatens to violate information security policies, confidentiality, integrity or availability related to a system or systems within the UAB enterprise or third party environments that provide services to UAB.

3.1.2. Privacy incident: Suspected breaches of confidentiality of PHI.

3.1.3. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium.  PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

3.1.4 Workforce Member: Any employee, volunteer, trainee, or other person whose conduct, in the performance of work for a UAB covered entity (as listed in Section 2 above), is under the direct control of the covered entity, whether or not they are paid by the covered entity.

4. POLICIES:

4.6. All Workforce Members shall report suspected privacy and information security incidents.

4.7. All Workforce Members shall cooperate with incident response investigations and resolutions.

4.8. Any Workforce Member who does not follow the above policies may be subject to disciplinary action up to and including termination of employment or assignment.

4.9. Vendors or contractors who do not follow the agreed upon policies and procedures related to reporting and cooperating with investigations of suspected privacy and information security incidents may be subject to breach of contract penalties.

4.10. Management shall ensure Workforce Members are trained in incident response procedures appropriate for their roles.

4.11.  Each UAB Covered entity shall have an Entity Privacy Coordinator who shall:

4.11.1. Serve as entity's primary privacy resource,

4.11.2. Follow information privacy incident procedures,

4.11.3. Investigate information privacy incidents,

4.11.4. Request audit trails,

4.11.5. Contact the proper areas regarding incidents,

4.11.6. Complete incident reports and distribute to appropriate parties,

4.11.7. Document and distribute the privacy incident resolutions within a timely manner, and

4.11.8. Track privacy incidents via the Request Tracking Spreadsheet.

4.12. Each UAB covered entity shall have an Entity Security Coordinator who shall:

4.12.1. Serve as entity's primary security contact and information resource,

4.12.2. Follow information security incident procedures,

4.12.3. Aid or assist in the investigation of information security incidents,

4.12.4. Immediately contact the HIPAA security office if an incident is suspected, and

4.12.5. Assist in the completion of incident reports and distribute to the appropriate parties.

4.13. CONTACTS:  For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

4.13.1. Your departmental HIPAA Entity Privacy or Security Coordinator (found on the HIPAA website  under “Committees”).

4.13.2. The HSIS Help Desk at 934-8888.

4.13.3. The UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

4.13.4. UAB HIPAA Security Office at 975-1440.

4.13.5. UAB Privacy Officer at 996-5051.