Facility Access Controls: Contingency Operations-What to

Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first
implementation specification for the Physical Safeguard Standard, Facility Access Controls. This
implementation specification is addressable. Remember, addressable does not mean “optional.”
Rather, an addressable implementation specification means that a covered entity must use reasonable
and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com,
business associates of covered entities will be required to comply with the Security Rule safeguard
standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of
the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17,
2009.

What to Do
Establish (and implement as needed) procedures that allow facility access in support of restoration of
lost data under the disaster recovery plan and emergency mode operations plan in the event of an
emergency.

How to Do It
The Security Official is responsible for ensuring that this implementation specification is in place.
The covered entity must develop procedures to restore electronic protected health information should
it experience a disaster or an emergency related to its physical premises. The covered entity should
coordinate these procedures with the disaster and emergency operations plans as part of the
Contingency Plan—the seventh Administrative Safeguard standard of the Security Rule. In its risk
analysis, the covered entity should catalog and prioritize the types of threats and vulnerabilities that
might impact facility access, and develop procedures to mitigate those threats and vulnerabilities.
These procedures, as outputs of the risk analysis, will provide inputs to the Contingency Operations
implementation specification.  For example, in the event of a fire, what would your covered entity
have as emergency procedures? Where would your covered entity relocate in temporary offices? As
another example, what would your covered entity do in the event of a power failure that damaged
your covered entity’s computer systems? How and where would your covered entity restore power
and access to electronic protected health information?

The key consideration is, in response to an emergency affecting internal or external parts of a
covered entity’s premises, is restoration of systems and access to electronic protected health
information. Accordingly, the contingency operations plan related to facilities should include
designation of key personnel from the workforce and business associates, as appropriate, to handle
the emergency or disaster, and ensuring that such personnel have access to emergency facilities to
restore business operations and systems.

Remember, safeguarding electricity is the key element in providing access to electronic protected
health information. Contingency operations, as reflected in this implementation specification, must
focus on this safeguard and restoring electrical power if it is lost.