(2) Implementation specifications:
(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Tell Me More:
The Emergency Access Procedure implementation specification requires covered entities to establish (and implement as needed) procedures for obtaining necessary electronic protected health information (EPHI) during an emergency. Emergency access is a necessary part of access control and will be necessary under emergency conditions, although these might be very different from those used in normal operational circumstances.
The need for access to ePHI may change during an emergency. Specifically, some job functions may be temporarily realigned necessitating different access to ePHI by workforce members. In addition, the need to restore and verify the integrity of the restored data may require different access by information technology personnel and others involved in disaster recovery.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Does the contingency plan require different access to ePHI during an emergency?
- If so, do the technical systems have the ability to support such temporary changes in access? If not, the organization may have to implement new systems to support the contingency plan.
- Are there procedures for activating emergency access? The procedures should address who can authorize such access and under what conditions.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-56 Recommendation on Key Establishment Schemes
- NIST SP 800-57 Recommendation on Key Management
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST SP800-77 Guide to IPsec VPNs
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP800-113 Guide to SSL VPNs