Contingency Plan

SCOPE

All UMB Schools and Departments designated as covered entities.

BACKGROUND

Unexpected occurrences that adversely affect computer systems containing ePHI and therefore disrupt business operations will eventually take place.  Covered entities must recognize the need to define contingency plans, which provide steps to maintain business operations at some level during these times. 

The development of data back-up plans, disaster recovery plans, emergency mode operation plans, testing, revision, applications, and data criticality are core to the success of the overall covered entity contingency plan.  Each of these sub plans may be truly unique to an individual covered entity depending upon size, complexity of systems, location, physical, and technical considerations.  This policy and procedure document provides the initial necessary steps to outline or begin the development of each component.

POLICY

Covered entity’s shall create and maintain a documented contingency plan that will provide a mechanism to minimize impact on total business operations while undergoing a loss of information systems and/or data stored, accessed, or transmitted on an information system.  Covered entity contingency plans must also ensure that that confidentiality, integrity, and availability of PHI is maintained.  Contingency plans must include the following components:

  1. Data Back up Plan – Covered entities shall be responsible for documenting the procedures for creation and maintenance of an exact retrievable copy of all PHI.  This may also include maintenance and retrieval of paper files of PHI.  Data backup plans shall include the following minimal documentation:
    1. Schedule
    2. Method (full, differential, or incremental)
    3. Media Storage
    4. Restoration Procedures 
  2. Disaster Recovery Plan – Each covered entity shall be responsible for documenting procedures to restore any loss of data and/or equipment due to an emergency, power loss, fire, vandalism, natural disaster, or other occurrence.  Disaster recovery plans shall include the following minimal documentation:
    1. Key Assumptions
    2. Disaster Recovery Team Identification
    3. Data Backup and Restore Procedures
    4. Application and Data Criticality List
  3. Emergency Mode Operation Plan – Each covered entity shall be responsible for documenting procedures that allow for continuation of critical business processes required for protection and security of PHI even during emergency mode operations.  Emergency Mode Operation plans shall include the following minimal documentation:
    1. Risk Management Procedures
    2. Access Authorization Procedures
    3. Minimal Audit Requirements (See AUDIT CONTROLS policy)
  4. Testing and Revision – Each covered entity shall be responsible for the routine testing of contingency plans and necessary revisions as a result of such testing. All contingency plan tests and revisions shall include the following minimal documentation
    1. Date of Test
    2. Components Tested
    3. Results of Test
    4. Revisions Made
    5. Security Liaison Acknowledgment
  5. Applications and Data Criticality– Each covered entity shall be responsible for documenting the prioritizationof system applications and related data to support resumption of normal business/systems processing.  Application and data criticalitylist shall include the following minimal components:
    1. Application/Data Description
    2. Application/Data Priority Level
    3. Required Functionality
    4. Required IT systems

General Provisions

  1. The Security Officer will ensure that all process and/or technical solutions relating to assignment and management of information access privileges are well documented and retained in accordance with UMB’s retention policy.  The Security Officer will work with the HIPAA Oversight Committee to ensure the various related implementation subtasks are appropriately assigned allowing for a realistic implementation process.
  2. The Security Officer, the Privacy Officer and/or the Department of Human Resources, as the case may be, will ensure that any and all related policies and procedures will be updated, including training materials.
  3. To the extent that workforce functions are affected by the chosen process and/or technical solution, the training department will work with managers to coordinate and assure that the solution is implemented and each affected member is trained.
  4. The Security Officer will ensure that routine monitoring is carried out to continually assess the effectiveness of the covered entity’s ability to balance the confidentiality of the PHI with its integrity and availability.  This routine monitoring includes review of all technical and non-technical solutions to assure they are maintained in optimal order to allow for the organization to be continually prepared to respond in the event of an emergency.

CROSS REFERENCES/RESOURCES

Federal Law:  45 CFR § 164.308(7), 164.530(c)

UMB Policies & Procedures referenced herein:

  • AUDIT CONTROLS

By Authority of: UMB Leadership

Effective Date:  4/20/05

Revision Date:   5/05/05