Under the HIPAA Access Control Standard, a covered entity (CE) is required to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.” The Access Control Standard has four implementation specifications in Technical Safeguards:
1. Unique User Identification (Required specification)
2. Emergency Access Procedures (Required specification)
3. Automatic Logoff (Addressable specification)
4. Encryption and Decryption (Addressable specification)
In the first article of this series, I discussed the required use of unique user identification. This article provides information on the second required specification of Emergency Access Procedures.
This specification requires a covered entity (CE) to “establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” The procedures referenced are documented instructions and operational practices for obtaining access to necessary electronic protected health information (ePHI) during an emergency. HHS feels that access controls are necessary under emergency conditions, although they may differ significantly from those used in normal operational circumstances. CEs must determine the types of situations that would require emergency access to an information system or application that contains ePHI.
This determination should be part of necessary disaster planning, which includes the protection of PHI. With good disaster planning, procedures must be established before an event to instruct workforce members on possible ways to gain access to needed ePHI during the disaster event. An example situation would be a disaster like a hurricane or ransomware attack, in which power to the practice is lost, causing loss of access or normal access to information systems is lost.
A preparedness plan provides the framework, which includes conducting facility-based risk assessments of threats and preparedness that will assist a facility in addressing the needs of its patient populations. Also, the plan should allow the identification of business operations that will provide support during an actual emergency. Further, a well-designed emergency plan “supports, guides, and ensures a facility’s ability to collaborate with local emergency preparedness officials. This approach is specific to the location of the facility and considers particular hazards most likely to occur in the surrounding area.” All practice preparedness planning should aim for a program and plan that is adequate for both natural and man-made disasters and that includes coordination with federal, state, tribal, regional and local emergency preparedness systems.
In disaster planning incorporating emergency access, the following should be considered:
- Initial disaster planning with elements
- Risk assessment
- A written plan
- Documented policies
- Training
- Documented policies and procedures addressing PHI access
- Incorporation of backup planning
- Use of 3-2-1 systems
- Periodic review of ability to access backed up data
- Staff assignments related to access responsibilities
- Changes of individual access restrictions during a disaster
- Access during situations of practice evacuation
- Incorporation of backup planning
As with many protective medical practice activities, including cybersecurity, it is necessary to plan in advance for emergencies. There is no time to assign workforce responsibilities when disaster events occur.
In September 2016, CMS issued a final rule establishing national emergency preparedness requirements for Medicare and Medicaid-participating providers and suppliers. The intent was for providers and suppliers to adequately plan for all types of disasters and to coordinate with the different emergency preparedness systems. The updated guidance was published in April of 2021 for the 17 types of medical participating providers and certified suppliers affected. All specified facilities were required to develop an all-hazards emergency preparedness program and plan with detailed requirements. Therefore, contingency disaster planning is required by CMS, by the HIPAA Security Rule Administrative Safeguards and, as discussed in this article by Security Rule Technical Safeguards for emergency access.
In the next article, I will discuss the third addressable Access Control Specification - Automatic Logoff.
For further cybersecurity information on this subject and many others, LAMMICO offers policyholders complimentary access to the TMHCC CyberNET®, an advanced cyber risk management resource and education center. Log in as a Member to access the TMHCC CyberNET® portal. Provided in partnership with cyber risk experts, Tokio Marine HCC, this excellent resource is continually updated and well worth the time to review.