1.   PURPOSE: To establish policy for technical and non-technical evaluations for information systems that contain, maintain, or transmit ePHI or other sensitive information and for operational 
and organizational policies and practices relevant to the security of ePHI.

2.   APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time- to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3.   ASSOCIATED INFORMATION:

3.1 Definitions:

3.1.1. Business Associate (BA): A person or entity (other than an employee of a UAB/UAB Medicine Enterprise Covered Entity) who performs a function or activity involving the use or disclosure of 
protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, 
benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of 
a UAB Covered Entity. A Business Associate of one UAB Covered Entity does not become a Business Associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.
3.1.2. Business Associate Agreement (BAA): A legal agreement between UAB and the Business Associate that outlines how the Business Associate will protect the PHI that they store, process, or transmit on behalf of UAB. This is an additional document separate from the contract.
3.1.3. Sensitive Information: Any information that should only be accessed by authorized personnel. It includes protected health information, financial information, personnel and student data, trade 
secrets, and any information that is deemed confidential or that would negatively affect inappropriately handled or lost.
 

4.   POLICY:

4.1.  UAB shall utilize both technical and non-technical evaluations to detect vulnerabilities in a system and to verify the effectiveness of controls.

4.2.  Technical evaluations may include:

4.2.1. Vulnerability scanning
4.2.2. Penetration testing

4.3.  Non-technical evaluations may include:

4.3.1. Self-assessment or gap analysis against regulatory requirements
4.3.2. A review of policies, procedures and plans to validate that they have been periodically reviewed, updated, and approved
4.3.3. Verification of security control settings
4.3.4. Confirmation that the workforce understands and follows security policies
4.3.5. A routine review of 3rd party business partners to review their security controls

4.4.  Results from technical or non-technical evaluations shall be reviewed with the appropriate leadership.
4.5.  Remediation plans shall be vetted and tracked for resolutions.

5.   CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.1.  Your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at https://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security- coordinators.html)
5.2.  The HSIS Help Desk at 205-934-8888 or helpdesk@uabmc.edu
5.3.  The UAB IT AskIT Help Desk at 205-996-5555 or AskIT@uab.edu
5.4.  UAB HIPAA Security Office at InfoSec@uabmc.edu or 205-975-1440
5.5.  UAB IT Information Security line at 205-975-0842

6.   REFERENCES: None

7.   SCOPE: This policy applies to all UAB entities covered under HIPAA and their systems that maintain ePHI.

8.   ATTACHMENTS: None