1. PURPOSE: To establish risk analysis policy for ePHI and management of risks identified. Information produced during the risk analysis will be utilized to determine and manage countermeasures critical for assurance of our ePHI resources. Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities.

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. ASSOCIATED INFORMATION: DEFINITIONS:

3.1. Definitions:

3.1.1. Information Security Officer: A designated individual responsible for the management of information security. Currently both the Campus and the UAB Medicine Enterprise operate information security offices.

3.1.2. Electronic Protected Health Information (ePHI): PHI in electronic form.

3.1.3. HIPAA Security Officer: A designated individual responsible for HIPAA related information security issues.

4.1.4 Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.

4.1.5 Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact to the confidentiality, integrity, and availability of confidential information.

4.1.6 Risk Analysis: An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a UAB Covered Entity.

4.1.7 Risk Management: The implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:

4.1.7.1 Ensure the confidentiality, integrity, and availability of all ePHI the UAB Covered Entity creates, maintains, receives, or transmits;

4.1.7.2 Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;

4.1.7.3 Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules;

4.1.7.4 Ensure compliance with the HIPAA Security Rule and HITECH Act;

4.1.7.5 Ensure Meaningful Use/Promoting Interoperability requirements are met.

5. POLICY:

5.1. Covered entities who maintain or transmit ePHI shall:

5.1.1. Conduct and document a thorough risk analysis a minimum of every three years in coordination with the HIPAA Security Officer and the Entity Security Coordinator.

5.1.1.1. Exceptions to the three- year analysis include:

5.1.1.1.1. When changes to the environment could affect the confidentiality, integrity, or availability of sensitive or business-critical information, a risk assessment or impact analysis must be conducted.

5.1.1.1.2. The occurrence of an event or incident warranting the reevaluation of risks requires an immediate risk assessment.

5.1.1.1.3. Regulatory requirements, such as an assessment performed of a Meaningful Use /Promoting Interoperability attestation period.

5.1.2. Conduct and document risk analysis, consisting of the following minimal components:

5.1.2.1. Asset inventory,

5.1.2.2. Data criticality analysis,

5.1.2.3. Threat assessments,

5.1.2.4. Determination of risk exposures, and

5.1.2.5. Development of a risk mitigation strategy.

5.1.2.6. Maintain a written record of the analysis/assessment for 6 years.

5.1.3. Submit the risk assessment findings and the mitigation strategy to the appropriate information security office within 30 days of concluding their assessment. The appropriate information security office shall forward a copy of the risk assessment findings to the HIPAA Security Officer.

5.1.4. In collaboration with the appropriate information security office, document risk acceptance decisions and implement measures to remediate vulnerabilities and sufficiently reduce risk exposure within a reasonable timeframe after concluding the assessment.

5.1.5. Document the remediation activities.

5.1.6. Submit the risk remediation plan to the appropriate information security office who shall forward a copy of the mitigation plan to the HIPAA Security Officer.

5.1.7. Provide written exemption or extension requests for any vulnerability that, due to business or technology constraints, cannot be remediated in the allotted time. All such requests must be approved by the appropriate information security office, HIPAA Security Officer. 

5.2. Data produced from the risk assessment shall be kept confidential.

5.3. Violations of these standards may result in disciplinary action, up to and including, dismissal.

5.4. Business Associates must comply with risk analysis and risk management requirements contained in the HIPAA Security Rule. Business Associates who do not meet those requirements could be subject to breach of contract penalties, possible legal prosecution, and other legal remedies/ramifications as available to UAB.

5.5. All business associates shall be required to sign a business associate agreement approved by UAB Legal Counsel.

6. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

6.1. Your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators

6.2. HSIS Help Desk at 205-934-8888

6.3. UAB IT AskIT Help Desk at 205-996-5555 or askit@uab.edu

6.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or 205-975-1440

6.5. UAB IT Information Security line at 205-975-0842

7. REFERENCES: None.

8. SCOPE: This policy applies to all UAB entities covered under HIPAA and systems that maintain ePHI, and all Business Associates.

9. ATTACHMENTS: None

To view other HIPAA Core Policies and for more information, please visit the HIPAA website.