Emergency Access Procedure

The Emergency Access Procedure task of the Access Control section requires agencies establish and implement procedures for obtaining necessary EPHI during an emergency.

This could entail many items depending on the "emergency". If any one user has access to specific EPHI data, there must another way to access this data. A manger must have or be able to access or change the user password in order to access the data if the user is not available. Your network operating system and/or application software should allow for this. As this task is covering Access Control only it is not intended to include all of the items that should be found in your Disaster Recovery Plan or your Emergency Mode Operation Plan, which are separate requirements of the HIPAA Security Rule . This task basically requires that you have a policy regarding gaining access to a user's EPHI data if they are not available.