Facility Access Controls: Contingency Operations-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

What to Do

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

How to Do It

The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity must develop procedures to restore electronic protected health information should it experience a disaster or an emergency related to its physical premises. The covered entity should coordinate these procedures with the disaster and emergency operations plans as part of the Contingency Plan—the seventh Administrative Safeguard standard of the Security Rule. In its risk analysis, the covered entity should catalog and prioritize the types of threats and vulnerabilities that might impact facility access, and develop procedures to mitigate those threats and vulnerabilities. These procedures, as outputs of the risk analysis, will provide inputs to the Contingency Operations implementation specification.  For example, in the event of a fire, what would your covered entity have as emergency procedures? Where would your covered entity relocate in temporary offices? As another example, what would your covered entity do in the event of a power failure that damaged your covered entity’s computer systems? How and where would your covered entity restore power and access to electronic protected health information?

The key consideration is, in response to an emergency affecting internal or external parts of a covered entity’s premises, is restoration of systems and access to electronic protected health information. Accordingly, the contingency operations plan related to facilities should include designation of key personnel from the workforce and business associates, as appropriate, to handle the emergency or disaster, and ensuring that such personnel have access to emergency facilities to restore business operations and systems.

Remember, safeguarding electricity is the key element in providing access to electronic protected health information. Contingency operations, as reflected in this implementation specification, must focus on this safeguard and restoring electrical power if it is lost.