FacebookTwitterLinkedInEmailPrint
This entry is part 7 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

 

(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Tell Me More:

For the contingency operations implementation specification, covered entities must address establishing (and implementing as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.  Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

This is an addressable implementation specification; however, all covered entities should consider having in place a plan to recover from a disaster and, if appropriate, to operate in emergency mode. This requires having appropriate backups – both data and hardware – and understanding what the most critical operations in the organization are. In some organizations it may be imperative to keep some systems running regardless of the problem, e.g., the critical care unit and operating rooms in a hospital. Other organizations may determine that it is acceptable to be “down” for a few days, e.g., most of the functions in a health plan are not time critical.

Facility access controls require formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization have a procedure for access to its primary facilities or alternative facilities, that process, transmit or store ePHI, in the event of a disaster and execution of the Disaster Recovery Plan where the restoration of data is required?
  • Is there a plan to get appropriate personnel onsite to restore operations in a timely fashion? This also should be part of your contingency plan.
  • Have these personnel been trained in disaster recovery and do they understand the priorities? See Disaster Recovery Plan (Required) implementation specification

References:

Series Navigation<< 164.310(d)(2)(iv) Standard: Device and media controls – Data backup and storage164.316(a) Policies and procedures and documentation requirements – Standard: Policies and procedures >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint