(2) Implementation specifications:
(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Tell Me More:
For the contingency operations implementation specification, covered entities must address establishing (and implementing as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
This is an addressable implementation specification; however, all covered entities should consider having in place a plan to recover from a disaster and, if appropriate, to operate in emergency mode. This requires having appropriate backups – both data and hardware – and understanding what the most critical operations in the organization are. In some organizations it may be imperative to keep some systems running regardless of the problem, e.g., the critical care unit and operating rooms in a hospital. Other organizations may determine that it is acceptable to be “down” for a few days, e.g., most of the functions in a health plan are not time critical.
Facility access controls require formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Does the organization have a procedure for access to its primary facilities or alternative facilities, that process, transmit or store ePHI, in the event of a disaster and execution of the Disaster Recovery Plan where the restoration of data is required?
- Is there a plan to get appropriate personnel onsite to restore operations in a timely fashion? This also should be part of your contingency plan.
- Have these personnel been trained in disaster recovery and do they understand the priorities? See Disaster Recovery Plan (Required) implementation specification
- NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems