TESTING AND REVISION PROCEDURE
POLICY # 25
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement procedures for periodic testing and revision of contingency
plans.”
Policy Summary:
Sindecuse Health Center (SHC) must conduct regular testing of its IT
contingency plan to ensure that it is up to date and effective. The results
of testing must be formally documented and presented to appropriate
SHC management. SHC’s disaster recovery plan must be kept current
via a formal change control process.
Purpose:
This policy reflects SHC’s commitment to regularly test its information
technology contingency plan.
Policy:
1. SHC must conduct regular testing of its contingency plan to ensure
that it is current and operative. SHC must have a formal process defining
how and when its plan will be tested.
2. As appropriate, the following types of tests can be performed on
SHC’s contingency plan:



Paper test: A detailed walk-through of the plan that typically
includes tasks such as validating the vendor call and notification
lists and reviewing end user procedures.
Limited scope test: A test of one or more components of the
disaster recovery plan. Typical test tasks include using backup
tapes to restore selected information systems at a remote
recovery facility or on test machines within SHC; and testing
communications between SHC and its alternate/recovery facility
or facilities.
Simulated full-scale disaster: A complete test of the disaster
recovery plan. The test will likely interrupt normal SHC
operations and should only be attempted after significant limited
scope testing and after determination that such a test would not
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TESTING AND REVISION PROCEDURE
impact patient care. Such testing typically requires executive
management support and extensive planning.
3. The results of such tests must be formally documented and presented
to appropriate SHC management. The contingency plan must be revised
as necessary to address issues or gaps identified in the testing process.
4. SHC’s contingency plan must be kept current via a formal change
control process. Examples of events that must result in an update of the
plan include, but are not limited to:





Change in disaster recovery personnel.
Change in contact information for disaster recovery personnel.
Significant change(s) to SHC’s technical or physical
infrastructure.
Change in key suppliers or customers.
Significant change in threats to SHC facilities or information
systems.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Contingency Plan
Standard
Regulatory
Reference:
45 CFR 164.308(a)(7)(ii)(D)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TESTING AND REVISION PROCEDURE
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Facility means the physical premises and the interior and exterior of a
building(s).
Emergency means a crisis situation.
Disaster means an event that causes harm or damage to SHC information
systems. Disasters include but are not limited to: tornado, fire, extended
power outage, equipment failure, or a significant computer virus
outbreak.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Contingency Plan
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Applications and Data Criticality Analysis
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.