Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 21 ADMINISTRATIVE MANUAL APPROVED BY:

POLICY # 21
CONTINGENCY PLAN
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Establish (and implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire,
vandalism, system failure, and natural disaster) that damages systems
that contain EPHI.”
Policy Summary:
Sindecuse Health Center (SHC) must prepare for and be able to
effectively respond to emergencies or disasters in order to protect the
confidentiality, integrity and availability of its information systems.
Purpose:
This policy reflects SHC’s commitment to effectively prepare for and
respond to emergencies or disasters in order to protect the confidentiality,
integrity and availability of its information systems.
Policy:
1. SHC must have a formal process for both preparing for and effectively
responding to emergencies and disasters that damage the confidentiality,
integrity or availability of its information systems.
2. At a minimum, the process must include:





Regular analysis of the criticality of SHC information systems.
Development and documentation of a disaster and emergency
recovery strategy consistent with business objectives and
priorities.
Development and documentation of a disaster recovery plan that
is in accordance with the above strategy.
Development and documentation of an emergency mode
operations plan that is in accordance with the above strategy.
Regular testing and updating of the disaster recovery and
emergency mode operations plans.
3. SHC’s disaster and emergency response process must reduce the
disruption to SHC information systems to an acceptable level through a
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
CONTINGENCY PLAN
combination of preventative and recovery controls and processes. Such
controls and processes must identify and reduce risks to SHC information
systems, limit damage caused by disasters and emergencies and ensure
the timely resumption of significant information systems and processes.
Such controls and processes must be commensurate with the value of the
information systems being protected or recovered.
4. SHC workforce members must receive regular training and awareness
on SHC’s disaster preparation and disaster and emergency response
processes.
5. As described in the Application and Data Criticality Analysis
policy, SHC must have a formal process for defining and identifying the
criticality of its information systems.
6. As described in the Data Backup policy, all EPHI on SHC
information systems and electronic media must be regularly backed up
and securely stored.
7. As described in the Disaster Recovery Plan policy, SHC must create
and document a disaster recovery plan to recover its information systems
if they are impacted by a disaster.
8. As described in the Emergency Mode Operations Plan policy, SHC
must have a formal, documented emergency mode operations plan to
enable the continuance of crucial business processes that protect the
security of its information systems containing EPHI during and
immediately after a crisis situation.
9. As described in the Testing and Revision Procedures policy, SHC
must conduct regular testing of its disaster recovery plan to ensure that it
is up to date and effective.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.308(a)(7)(i)
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
CONTINGENCY PLAN
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Disaster means an event that causes harm or damage to SHC information
systems. Disasters include but are not limited to: earthquake, fire,
extended power outage, equipment failure, or a significant computer
virus outbreak.
Emergency means a crisis situation.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
CONTINGENCY PLAN
altered or destroyed in an unauthorized manner.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Applications and Data Criticality Analysis
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
P25-TSTREV
P25-TSTREV
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
Download