Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy regarding a contingency plan.

Definitions:

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media, but excludes individually identifiable health information in: (a) Education covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (c) employment records held by WSU Employee Wellness in its role as employer.

Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Policy:

WSU Employee Wellness will respond to an emergency or other occurrence that damages WSU Employee Wellness’s information system, which contains electronic protected health information (“PHI”) through the use of its Data Backup Plan, Disaster Recovery Plan and Emergency Mode Operation Plan.  The Data Backup Plan is WSU Employee Wellness’s procedure to back up and store electronic PHI stored on WSU Employee Wellness’s information systems and create exact and retrievable copies of electronic PHI.  The Disaster Recovery Plan is WSU Employee Wellness’s procedure to recover electronic PHI that is lost, damaged, or corrupted in the event of a disaster or other emergency.  The Emergency Mode Operation Plan is WSU Employee Wellness’s procedure to allow the continuation of critical operations processes, while permitting necessary access to and use of electronic PHI, during and immediately following an emergency. 

 

A. Data Backup Plan

The Security Officer, with the assistance of Weber State University’s information technology provider shall establish specific backup schedules and procedures for WSU Employee Wellness’s networks and computer systems.  WSU Employee Wellness shall back up all software, applications, files, data, and messages related to electronic PHI stored on WSU Employee Wellness’s networks and other information systems to tape, CD-ROM, disk, or other storage media.  The Security Officer, or his or her designee, shall validate the accuracy, completeness and integrity of the backup performed.  The Security Officer, or his or her designee, shall act to promptly resolve errors shown by the validation process and shall either resolve the errors or seek outside technical support to assist in the resolution of errors in the backup process.  The storage media from the current week shall be stored onsite in an area secured in a safe.  The Security Officer shall approve an environmentally secure offsite location that provides adequate security and protection from fire and other disasters for storage of a copy of WSU Employee Wellness’s backup media.

 

B. Disaster Recovery Plan

The Security Officer shall assess the effect of the disaster on WSU Employee Wellness’s information systems containing electronic PHI to determine any lost functionality and loss of data.  The Security Officer shall notify its information technology software provider for backup and restoration if there is any lost functionality or loss of data.  The Security Officer, with the assistance of Weber State University’s information technology provider, shall determine whether offsite backup files are necessary.  The Security Officer shall oversee the loading and testing of backup files and getting the network and computer systems operational and back online.  

 

C. Emergency Mode Operational Plan

If the security of any network or computer system containing electronic PHI has been compromised as a result of an emergency, the Security Officer, with the assistance of its information technology provider, shall disable such network or computer system and operate only on secured systems.  If necessary, the Security Officer shall ensure that WSU Employee Wellness’s backup servers containing critical security applications are brought online to safeguard and continue critical business processes, applications (such as firewalls), and virus protection software, that protect computer systems and networks that contain electronic PHI.  The Security Officer, with the assistance of Weber State University's information technology provider, will assess the extent of damages to WSU Employee Wellness’s computer systems that enable continuation of critical business processes for the protection of electronic PHI, and begin procedures to repair and bring the computer systems back online as soon as practical.  The Security Officer shall contact providers for servicing any damaged computer systems to restore as soon as practical any damaged systems.  WSU Employee Wellness shall operate in emergency mode until the emergency has ended and all computer systems that affect the protection of electronic PHI have either been restored to full capacity or replaced. 

 

D. Testing and Revision Procedures

WSU Employee Wellness will take reasonable and appropriate steps to perform documented testing of WSU Employee Wellness] contingency plans on a periodic basis to assess the sufficiency of such plans.  The Security Officer will review the documented testing results and recommend revisions, as necessary, to WSU Employee Wellness contingency plans to address any issues identified in the testing. 

 

E. Applications and Criticality Analysis 

WSU Employee Wellness will analyze and document the criticality of specific applications and data on information systems containing electronic PHI.  Such applications and data will be rated on how critical they will be for the continued operations during an emergency or disaster.