Overview:
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Action Items:
1) Obtain and review contingency operations procedures. Evaluate the content in relation to the specified performance criteria that allow facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of all types of potential disasters. Elements to review may include but are not limited to: Identification of who will need access to ePHI in the event of a disaster; Backup up plan for access to the facility and/or ePHI; Workforce member roles and responsibilities from implementing the contingency plan for accessing ePHI in each department, unit, etc.; Procedures for accessing restored data at the alternate processing, storage, and work site; Procedures for the testing contingency operations.
2) Obtain and review documentation demonstrating contingency operation procedures currently implemented. Evaluate and determine if processes are in accordance with related policies and procedures.
3) Obtain and review documentation demonstrating that contingency operation procedures are tested. Evaluate and determine if testing is conducted on a periodic basis and testing results are documented, including a plan of corrective actions, if necessary.
Related Documents:
1) Contingency operations procedures
2) Documentation demonstrating contingency operation procedures currently implemented
3) Documentation demonstrating that contingency operation procedures are tested.
Additional Guidance:
Contingency operations may be set in motion during or immediately following a disaster or emergency situation. During contingency operations, it is important to maintain physical security and appropriate access to EPHI while allowing for data restoration activities.
Facility access controls during contingency operations will vary significantly from entity to entity. For example, a large covered entity may need to post guards at entrances to the facility or have escorts for individuals authorized to access the facility for data restoration purposes. For smaller operations, it may be sufficient to have all staff involved in the recovery process.
Sample questions for covered entities to consider:
- Are procedures developed to allow facility access while restoring lost data in the event of an emergency, such as a loss of power?
- Can the procedures be appropriately implemented, as needed, by those workforce members responsible for the data restoration process?
- Do the procedures identify personnel that are allowed to re-enter the facility to perform data restoration?
- Is the content of this procedure also addressed in the entity's contingency plan? If so, should the content be combined?
Article ID: 464
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-contingency-operations-164-310-a-2-i-464.html