HIPAA Security
Rule Language:
“Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”
Policy Summary:
Purpose:
Sindecuse Health Center (SHC) must have formal, documented procedures for allowing designated individuals to enter its facilities to take necessary actions as defined in its Disaster Recovery and Emergency
Mode Operations Plans.
This policy reflects SHC’s commitment to ensure that, in the event of a disaster or emergency, appropriate individuals can enter its facilities to take necessary actions defined in its Disaster Recovery and Emergency
Mode Operations Plans.
Policy: 1. SHC must ensure that, in the event of a disaster or emergency, appropriate persons can enter its facility to take necessary actions defined in its Disaster Recovery and Emergency Mode Operations Plans.
2. Based on its Emergency Mode Operations Plan, SHC must develop, implement, and regularly review a formal, documented procedure that ensures that authorized employees can enter the facility to enable continuation of processes and controls that protect EPHI while SHC is operating in emergency mode. Such employees or roles must be defined in SHC’s Emergency Mode Operations Plan. Actions taken by such employees must be appropriately tracked and logged as defined in SHC’s
Emergency Mode Operations Plan.
3. All access rights to SHC processes and controls which protect EPHI must be clearly defined and documented. Such rights must be provided only to SHC employees having a need for specific access in order to accomplish a legitimate task related to contingency operations. All such
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Page 1 of 3
access rights must be regularly reviewed and revised as necessary.
4. In the event of an emergency, only authorized SHC employees may administer or modify processes and controls which protect EPHI contained on information systems. Such employees or roles must be defined in SHC’s Emergency Mode Operations Plan.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic protected health information for any purposes.
This policy’s scope includes all electronic protected health information, as described in Definitions below
.
Regulatory
Category:
Physical Safeguards
Regulatory Type: ADDRESSABLE Implementation Specification for Facility Access
Controls Standard
Regulatory
Reference:
45 CFR 164.310(a)(2)(i)
Definitions: Electronic protected health information means individually identifiable health information that is:
Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Information system means an interconnected set of information resources
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Page 2 of 3
under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Facility means the physical premises and the interior and exterior of a building(s).
Access means the ability or the means necessary to read, write, modify, or communicate data or otherwise use any system.
Disaster means an event that causes harm or damage to [Hospital Name] information systems. Disasters include but are not limited to: earthquake, fire, extended power outage, equipment failure, or a significant computer virus outbreak.
Emergency means a crisis situation.
Information Systems Responsible
Department:
Policy Authority/
Enforcement:
Related Policies:
SHC’s Security Official is responsible for monitoring and enforcement of this policy, in accordance with Procedure # (TBD).
Facility Security Plan
Access Control and Validation Procedures
Maintenance Records
Renewal/Review: This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed.
TBD Procedures:
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Page 3 of 3