Under the HIPAA Security Rule, covered entities (CEs) and business associates (BAs) are required to implement appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Security Rule technical safeguards contain a series of standards whose requirements CEs and BAs must meet. Under the first of these standards, the Access Control standard, covered entities and business associates must implement emergency access procedures.
What are Emergency Access Procedures?
The required HIPAA emergency access procedures are documented instructions and operational practices for obtaining access to necessary ePHI during an emergency situation. Having access controls – those measures that provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files – is necessary for a business to operate under emergency conditions.
Covered entities and business associates, under the emergency access procedures implementation specification, must determine what types of situations require emergency access, or “break glass,” into an information system or application that contains ePHI. Examples of situations that might require such emergency access may include power outages and cyberattacks.
HIPAA Security Rule emergency access procedures must be established beforehand to instruct workforce members on possible ways to gain access to needed ePHI in, for example, a situation in which normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or man-made disaster.
Covered entities and business associates should consider the following factors as they develop, maintain, and refine their emergency access policies and procedures:
- Who needs access to ePHI in the event of an emergency?
- Do contemplated emergency access procedures allow for appropriate (authorized) access to ePHI in emergency situations?
What Kinds of Emergency Access Procedures Should be Implemented?
Examples of specific emergency access procedures include:
- Procedures for offsite backup of electronic protected health information.
- “Alarm” procedures to respond to an emergency.
To ensure employees are aware of emergency access procedures, organizations should distribute written copies of these procedures to staff. If an emergency occurs, organizations should maintain a log describing how staff responded to the emergency. The log should include what emergency access procedures (i.e., backups, disaster recovery plans) were implemented, and whether they were implemented successfully.
