UAB IT product and contract intake
Technology Contract & Product Review
UAB IT reviews technology-related contracts, software, products, and services before execution to evaluate security, data protection, and IT implementation needs such as single sign-on, installation, integrations, and support.
Start with IT review. After IT approval, submit the contract through UAB Contract Management and include your ServiceNow RITM number.
How the review works
Complete the IT review before sending the contract through UAB Contract Management for legal review.
Confirm data type
Use the data classification worksheet and UAB's public, sensitive, and restricted/PHI requirements to identify the data involved.
Data ClassificationGather documents
Use the finder or reference cards below to collect the contract, use case, security review, BAA, research, or equipment documents that apply.
View requirementsSubmit IT request
Send the product or contract review request to UAB IT through ServiceNow with the required documents attached.
Open ServiceNow formFinish in CMS
After IT approval, submit to UAB Contract Management and include the ServiceNow RITM number.
Open CMS informationHR data note
If you need access to HR data, contact HR Information Systems before submitting to UAB IT at
Data classification
Use data risk to choose the path
All UAB data stored, processed, or transmitted must be classified. The finder uses these simplified categories to point users toward the likely document set.
Public Data
Low-risk data UAB has chosen or is required to disclose publicly, such as public websites, course catalogs, public research findings, press releases, and newsletters.
Sensitive Data
Moderate-risk confidential data. Examples include FERPA, budgetary plans, proprietary business plans, patent-pending information, and data protected by law.
Restricted/PHI Data
High-risk or highly confidential data, including HIPAA, PHI, SSNs, credit card numbers, GLBA, export-controlled data, FISMA data, login credentials, and NDA-protected information.
Classification checkpoints
Work through these sections in order. When a checkpoint applies, route the request according to the highest-risk data involved.
Checkpoint 1 Is the data subject to regulatory, standard, grant, or contractual protection requirements?
Review the data set for any of the following requirements. The label on each item shows the classification path it triggers.
Checkpoint 2 Does the data contain personally identifiable information?
Personally identifiable information maps to the restricted path in this worksheet because it can distinguish, trace, or logically associate information with a specific individual.
Checkpoint 3 Does the data contain protected health information?
Protected health information maps to the restricted path. To be considered de-identified, all 18 HIPAA identifiers must be removed.
Checkpoint 4 If none of the above apply, answer the final classification questions
Public path
Is the data already publicly available, or does UAB wish to publicize the data?
Sensitive path
Is the data confidential and limited to UAB or approved third parties with authorization to access and view it?
Restricted path
Is the data highly confidential, limited by strict need-to-know access, or likely to cause major harm to UAB if exposed?
Interactive guide
Find your likely required documents
Answer a few routing questions to identify the likely review path and document set. Final review may adjust the path if data type or system scope changes.
Classification reminder
Free software still needs the correct review path if it stores, processes, transmits, or accesses UAB data.
Document finder
Question 1 of up to 4
Reference
Required documents by review path
Compare requirements across paths in the table, or use cards for a readable summary.
Fast track CDA / NDA
Clear the confidentiality step before product review
Use this path when a vendor will not share security documents until an NDA is signed. The CDA helps unlock the vendor documents; it does not replace the IT product or contract review.
CDA fast-track flow
Complete these steps before asking the vendor for the documents needed for the product review.
-
Send UAB's CDA
Ask the vendor to sign the UAB CDA rather than starting with the vendor's NDA.
-
Route for signature
After the vendor returns the CDA, submit it through Contract Management for official UAB signature.
-
Request documents
Once both signatures are complete, send the CDA back to the vendor and request the review documents.
Vendor only has a portal?
If the vendor refuses to send documents and only provides a security portal, include the portal link in the IT review request.
Then continue normal review
After the CDA step, use the document finder or comparison table above to confirm what must be attached.
Planning
Estimated turnaround time
Turnaround starts after the request and all required documentation have been provided. EISO reviews contracts involving Sensitive and Restricted/PHI data.
Public Data
1–2 business days
Typical when documentation is complete.
Sensitive Data
1–7 business days
Depends on security documentation and data use.
Restricted/PHI or HSIS
Varies
No fixed SLA. Updates will be provided through the RITM.
Common situations
Do I submit to IT or Contract Management first?
Submit to IT first for product or contract review. After IT approval, submit through UAB Contract Management and include the RITM number.
What if the vendor provides SOC2 instead of HECVAT?
SOC2, ISO 27001, CSA CAIQ, and HSIS RA are listed alternatives for Sensitive and Restricted/PHI reviews. HECVAT Lite is preferred for Sensitive; HECVAT Full is preferred for Restricted/PHI.
What if PHI or ePHI is involved?
Treat PHI/ePHI as Restricted/PHI and determine whether HSIS or EISO approval applies. A BAA may be required for business associates.
What if I am not sure which path applies?
Use the document finder, include what you know in the ServiceNow request, and attach the most conservative documentation available. Final routing can be adjusted during review.
Ready to submit?
Attach the required documents and submit your product/contract review request to UAB IT.