• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Facility Access Controls: Contingency Operations-What to Do and How to Do It

April 24, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

What to Do

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

How to Do It

The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity must develop procedures to restore electronic protected health information should it experience a disaster or an emergency related to its physical premises. The covered entity should coordinate these procedures with the disaster and emergency operations plans as part of the Contingency Plan—the seventh Administrative Safeguard standard of the Security Rule. In its risk analysis, the covered entity should catalog and prioritize the types of threats and vulnerabilities that might impact facility access, and develop procedures to mitigate those threats and vulnerabilities. These procedures, as outputs of the risk analysis, will provide inputs to the Contingency Operations implementation specification.  For example, in the event of a fire, what would your covered entity have as emergency procedures? Where would your covered entity relocate in temporary offices? As another example, what would your covered entity do in the event of a power failure that damaged your covered entity’s computer systems? How and where would your covered entity restore power and access to electronic protected health information?

The key consideration is, in response to an emergency affecting internal or external parts of a covered entity’s premises, is restoration of systems and access to electronic protected health information. Accordingly, the contingency operations plan related to facilities should include designation of key personnel from the workforce and business associates, as appropriate, to handle the emergency or disaster, and ensuring that such personnel have access to emergency facilities to restore business operations and systems.

Remember, safeguarding electricity is the key element in providing access to electronic protected health information. Contingency operations, as reflected in this implementation specification, must focus on this safeguard and restoring electrical power if it is lost.

Tags: 20102019addressableAmerican Recovery and Reinvestment ActARRAbusiness associatecontingency operationscontingency plancovered entitydisaster recovery planelectronic protected health informationemergency mode operationsfacility access controlsFebruary 17HIPAA Administrative SimplificationHIPAA Security RuleHITECH Actphysical safeguard standardpolicies and procedurespower failurePresident Obamareasonable and appropriaterestoration of lost dataSecurity OfficialSecurity Rulethreats and vulnerabilities
No Comments
Share
0

You also might be interested in

Person or Entity Authentication: What This HIPAA Security Rule Technical Safeguard Standard Means

Jul 8, 2009

This is the fourth Technical Safeguard Standard of the HIPAA[...]

Transmission Security Encryption: What to Do and How to Do It

Jul 14, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Individual Access Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jun 25, 2009

On December 15, 2008, the Office of the National Coordinator[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next