Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Contingency Plan
Policy Number: IS-07 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Policy and Privacy Services Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To provide guidelines for the implementation of Drexel University’s (DU) Contingency Plan designed to protect the availability, integrity and confidentiality of electronic protected health information (e-PHI).
DU has developed a Contingency Plan that will be used to respond to a system emergency involving systems that contain e-PHI.
A Contingency Plan has been developed, implemented, and will be routinely updated. The Contingency Plan will enumerate the specific processes and procedures that will be followed to respond to a system emergency including:
- Data backup.
- Preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency.
- Recovering from a disaster.
Specifically the Contingency Plan provides mechanisms to:
- Avoid interruptions to critical functions even while undergoing the loss of electricity, fire, vandalism, true disaster or other occurrence where systems and data are threatened.
- Minimize impact on total business operations, and minimize interruptions to critical functions so that they occur only infrequently, are brief in duration, and do not result in detrimental consequences.
- Address complications and consequences of normal lost processing time, operations degradation, lost equipment replacement processes, insurance funds, alternative processing sites, temporary office space, equipment, key personnel, telephones and other basic business equipment.
B. Criticality Analysis:
The Contingency Plan includes a criticality analysis of IT applications and systems that lists all data and applications residing on each system with a level of criticality assigned to each type of data and each application. The analysis will assess the sensitivity, vulnerabilities and security of programs and the information DU receives, manipulates, stores or transmits.
C. Emergency Mode Operation Plan:
The Contingency Plan includes an Emergency Mode Operation Plan that contains a process enabling DU to continue to operate in the event of fire, vandalism, natural disaster or system failure. It will specify the actions to be taken during the timeframe that emergency operations are underway.
The Security Officer has the authority to use back-up data to resume operations. In such a situation, DU would restore the system to its last operational state, and the Security Office would operate the system from the back-up location until the disaster situation is remedied.
The Security Officer works with the Facilities Department in planning for emergency access to DU facilities to safeguard modifications needed to safeguard e-PHI.
D. Data Backup:
Procedures for data backup will be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.
- DU requires the creation and maintenance of an exact retrievable copy of its e-PHI. Back-ups are created in the most appropriate form and a timely manner.
- In the instance that backup data is used to restore systems operations, all system defaults will be reset by the Security Officer or Data Base Administrator.
E. Disaster Recovery:
Disaster recovery procedures will encompass a process for enabling DU to recover any loss of data in the event of fire, vandalism, natural disaster, or system failure. DU has established a Disaster Recovery Plan that covers simple hardware failures as well as more critical system failures due to a catastrophic event. The Disaster Recovery Plan establishes procedures for both controllable (disaster that can be subdued by human work such as building fires, power failures, pipe leaks/bursts, etc.) and uncontrollable events (i.e., earthquakes, hurricanes, floods, etc.).
The Security Officer will work with the Privacy Officer and others to compile and maintain the information outlined in the Contingency Plan that is to be stored in multiple formats, on and off-site to be used in the event of an emergency. This Disaster Recovery Plan outline allows for orderly resumption of activities and resumption of system recovery to the point of failure. It includes an outline for the business priorities for DU, including related assumptions and a final base plan with activation criteria.
DU has defined processes to protect e-PHI during and immediately after a crisis while operating in emergency mode. Basic elements include definition of the notification process, clear pre-defined instructions on work-around procedures, crisis management information and business continuity planning.
F. Periodic Testing:
Procedures will be developed for periodic testing of the Contingency Plan to discover weaknesses, and for revising documentation as necessary.
45 CFR § 164.308(a)(7)
Cross Reference: DU Contingency Plan
Back to Top