UAMS ADMINISTRATIVE GUIDE

NUMBER: 7.3.13
DATE: April 1, 2005
REVISION:

SECTION: INFORMATION TECHNOLOGY
AREA: NETWORK SECURITY
SUBJECT: DISASTER RECOVERY

SCOPE

UAMS Workforce using or disclosing Confidential Information, which includes Electronic Protected Health Information (ePHI), for any purpose.


DEFINITIONS

Backup means creating a retrievable, exact copy of data.

Disaster means an event that causes harm or damage to UAMS information systems. Disasters include, but are not limited, to the following: earthquake, fire, extended power outage, equipment failure, or a significant computer virus outbreak.

Confidential Information includes information concerning UAMS research projects, confidential employee information, information concerning the

UAMS research programs, proprietary information of UAMS, and sign-on and password codes for access to UAMS computer systems. Confidential information shall include Protected Health Information.

Electronic Protected Health Information means individually identifiable health information that is:
• Transmitted by Electronic media
• Maintained in Electronic media

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual. This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.
To access any other terms or definitions referenced in this policy: http://hipaa.uams.edu/DEFINITIONS - HIPAA.pdf
 

POLICY
UAMS Information Technology (IT) will establish and implement as needed the UAMS IT Disaster Recovery Plan (DRP) which contains contingency policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages IT supported systems that contain Confidential Information, which includes Electronic Protected Health Information (ePHI). The IT Division is committed to employing all appropriate strategies for anticipating and controlling crisis situations by implementing the IT DRP.
 

1.  IT Management is responsible for establishing, implementing anmaintaining the IT Disaster Recovery Plan (DRP). The plan is located at http://disasterrecovery.uams.edu and will include:

A.    An Emergency Response Plan (ERP) that contains procedures which will serve as a guide to IT Management and Staff toward recovery of the systems. Procedures that allow physical facility access during emergencies to support restoration of data will be included in the ERP.

B.     A data backup plan that establishes and implements procedures to create and maintain retrievable, exact copies of Electronic Protected Health Information.

·         For network file servers, the Network Administrator is responsible for the backups and other measures necessary for the overall security of the software and data stored on the network storage space.

·         For stand-alone microcomputers, the primary user of that system is responsible for backups and any other measures necessary to insure the security and integrity of the data and software

·        Individual workstation users on the network are responsible for backups and data security for local storage space.

C.     Critical Data Center Operations which are defined in the Disaster Recovery Critical Systems List and which assess the relative criticality of specific applications and data in support of other contingency plan components. The List is updated as new 

systems or redundant equipment for existing systems are purchased, and as system 
status is upgraded to higher priorities.

D.    A Business Continuity Plan (BCP), which serves as an emergency mode operation plan to establish and implement procedures to enable continuation of critical business processes for protection of the security of Electronic Protected Health Information (ePHI) while operating in emergency mode. The BCP is comprised of departmental procedures supplied to IT for publishing in the Disaster Recovery Plan and will serve as a guide to UAMS staff toward continuing normal business operations during an IT Emergency.

2.      Individual UAMS Division Areas or Team Leaders will assist in the development of plans for their areas of responsibility, to include appropriate maintenance of their respective plans, which are to be consistent with the overall Policies and Procedures established by senior IT Management.

3.      All employees are expected to comply with established practices and procedures of the ERP, which are designed to minimize the risk to themselves and others, as well as to minimize threats to personnel, technical resources, property, or to the security of the facility.

4.      The Disaster Recovery Plan will be regularly tested and periodically revised as needed.

5.      An IT Disaster will be called, and the IT Disaster Recovery Plan initiated, when any situation occurs that disables access to the systems in the Data Center and requires ordering new hardware to be delivered to an alternate location for setup and access.

6.      Copies of the Disaster Recovery Plan and other documents referenced in the Plan will be stored off-site on the Disaster Recovery Website located at the UAMS DR Site and in hard copy with an off-site Vaulting Service. The documents will be readily available for reference online, or for delivery in the event of an emergency situation that restricts or prohibits access to the normal workplace.  The Website is:  http://disasterrecovery.uams.edu.

7.      When an IT Disaster is called, the Disaster Recovery Plan should be referenced.