HIPAA Core Policy: Information Security and Privacy Incident Response   



This policy establishes the coordination of UAB's response to information security and privacy incidents to enable quicker remediation, information gathering, and reporting of infrastructure-affecting HIPAA security- and privacy-related events.

Effective Date: 10/18/2017


Review/Revised Date: 10/18/2017


Category: Ethics and Integrity


Policy Owner: Provost

Policy Contact: Chief Privacy Officer



 1. PURPOSE: To establish policy for the coordination of UAB's response to information security and privacy incidents. This will enable more efficient remediation, information gathering, and reporting of HIPAA security and privacy related events.

2. PHILOSOPHY: Proper policies and procedures must be in place to comply with various legal requirements provide a coordinated response to potential incidents that would threaten privacy and security of protected health information (PHI).

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time to time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Clinics, UAB Health Centers, Medical West Hospital, VIVA Health, Inc., University of Alabama Health Services Foundation owned and operated clinics, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as "UAB."


4.1. Definitions: 

4.1.1. Malicious code: Any program that is intended to circumvent security measures, destroy data, collect data for unauthorized third parties, or propagate data onto another system, i.e., exploits, viruses, worms, spyware.

4.1.2. Computer and network abuse: The use of resources in a manner inconsistent  with the UAB/UABHS policy.

4.1.3. Information security incident:  Any event or series of events that violates or threatens to violate information security policies, confidentiality, integrity, or availability related to a system or systems within the UABHS infrasturacture.

4.1.4. Privacy incident: Suspected breaches of confidentiality of PHI.

4.1.5. Protected Health Information (PHI): Health information, including demographic information, collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium.  PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.6. Sensitive information or data:  Any information that may only be accessed by authorized personnel.  It includes Protected Health Information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled. 


5.1. HIPAA Security Officer shall maintain the UABHS Incident Response Plan.
5.2. HIPAA Security Officer shall periodically test the UABHS Incident Response Plan.
5.3. HIPAA Privacy Officer shall manage the UAB/UABHS HIPAA Compliance Privacy Complaint, Incident Response and Breach Notification Procedure.
5.4. HIPAA Privacy Officer shall maintain the incident log and incident details and outcomes related to the UAB/UABHS HIPAA Compliance Privacy Complaint, Incident Response and Breach Notification Procedure for a period of no less than six years.
5.5 Covered entities shall coordinate response efforts under the direction of an Incident Response Team (IRT) as defined by the UABHS Incident Response Plan.

5.6. All Workforce Members shall report suspected privacy and information security incidents.

57. All Workforce Members shall cooperate with incident response investigations and resolutions.

5.8. Any member of the workforce of a UAB/UABHS covered entity, as stated in the Applicability section of this policy, who does not follow the above policies may be subject to disciplinary action up to and including termination of employment or assignment.

5.9.Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5.10. Management shall ensure workforce members are trained in incident response procedures appropriate for their roles.

5.11.  Entity Privacy Coordinator shall:

5.11.1. Serve as entity's primary privacy resource,

5.11.2. Follow information privacy incident procedures,

5.11.3. Investigate information privacy incidents,

5.11.4. Request audit trails,

5.11.5. Contact the proper areas regarding incidents,

5.11.6. Complete incident reports and distribute to appropriate parties,

5.11.7. Document and distribute the privacy incident resolutions within a timely manner, and

5.11.8. Track privacy incidents via the Request Tracking Spreadsheet.

5.12. Entity Security Coordinator shall:

5.12.1. Serve as entity's primary security contact and information resource.

5.12.2. Follow information security incident procedures.

5.12.3. Aid or assist in the investigation of information security incidents.

5.12.4. Immediately contact the HIPAA security office if an incident is suspected.

5.12.5. Assist in the completion of incident reports and distribute to the appropriate parties.

5.13. CONTACTS:  For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.13.1. Your departmental HIPAA Entity Privacy or Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/2-uncategorised/55-entity-privacy-coordinators and http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators).

5.13.2. The HSIS Help Desk at 934-8888.

5.13.3. The UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.13.4. UAB HIPAA Security Office at 975-1440.

5.13.5. UABHS Privacy Officer at 996-5051. 

7. SCOPE: This policy applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI. 
To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.