(2) Implementation specifications:

 (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

 

Tell Me More:

The Emergency Access Procedure implementation specification requires covered entities to establish (and implement as needed) procedures for obtaining necessary electronic protected health information (EPHI) during an emergency. Emergency access is a necessary part of access control and will be necessary under emergency conditions, although these might be very different from those used in normal operational circumstances.

The need for access to ePHI may change during an emergency. Specifically, some job functions may be temporarily realigned necessitating different access to ePHI by workforce members. In addition, the need to restore and verify the integrity of the restored data may require different access by information technology personnel and others involved in disaster recovery.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the contingency plan require different access to ePHI during an emergency?
  • If so, do the technical systems have the ability to support such temporary changes in access? If not, the organization may have to implement new systems to support the contingency plan.
  • Are there procedures for activating emergency access? The procedures should address who can authorize such access and under what conditions.

 

References:

Series Navigation<< 164.312(c)(2) Standard: Integrity – Mechanism to authenticate electronic protected health information164.308(a)(5)(i) Administrative safeguards – Standard: Security awareness and training >>