• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Access Control: Emergency Access Procedure-What to Do and How to Do It

June 4, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is required. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

What to Do

Establish and implement as needed procedures for obtaining necessary electronic protected health information during an emergency.

How to Do It

Emergency access refers to loss of data and systems containing electronic protected health information due to an emergency. Emergencies may include, but are not limited to, fire, vandalism, terrorism, system failure, or natural disaster. In an emergency situation, delay in accessing vital information could result in danger to someone’s health.

As part of its risk analysis, a covered entity should identify emergency situations that would warrant immediate access to electronic protected health information. The Security Official of the covered entity should prepare a written inventory of such situations. The covered entity should coordinate policies and procedures for this technical safeguard standard implementation specification with the policies and procedures developed for the Facility Access Physical Safeguard Standard implementation specification:  Contingency Operations.

The covered entity should work with its electronic information system and software vendors to establish emergency access procedures to accommodate the emergency situations identified in the risk analysis. Such procedures should include offsite backup of electronic protected health information. In addition, a covered entity should consider “alarm” procedures to respond to an emergency, including the use of a special user password by the Security Official and one other designated workforce member who would have full access to electronic protected health information and who would be accountable for their actions. Finally, a covered entity should document emergency response procedures and distribute them to workforce members, and maintain a special audit log of responses to emergencies.

Tags: 20092010access controlalarm proceduresAmerican Recovery and Reinvestment ActARRAbusiness associatecontingency operationscovered entityelectronic protected health informationemergency access procedureFacility AccessFebruary 17fireHIPAA Administrative SimplificationHIPAA Security RuleHITECH Actimplementation specificationnatural disasterphysical safeguard standardPresident ObamarequiredRisk AnalysisSecurity Officialspecial audit logspecial user passwordstandardsystem failureTechnical Safeguardterrorismvandalismvendorworkforce member
No Comments
Share
0

You also might be interested in

HHS Secretary Delegates to ONC Head New HITECH Act Authority

Aug 20, 2009

Effective August 7, 2009, and published in the Federal Register[...]

HITECH Guidance & RFI

Apr 17, 2009

HITECH GUIDANCE & RFI 45 CFR Parts 160 and 164[...]

Exploring HIPAA and HITECH Act Definitions: Part 4

Nov 2, 2009

From now through November, HIPAA.com is providing a run through[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next