How does an emergency access procedure work?

Emergency access procedures are protocols that take place during unforeseen circumstances threatening the availability of electronic protected health information (ePHI). In these cases, hospital teams have to respond rapidly to ensure medical services can continue without compromising patient privacy and security. 

What is an emergency access procedure? 

Emergency access procedures fall under the category of Technical Standards in the HIPAA Security Rule. The implementation specification requires that covered entities “establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.” 

The protocols allow authorized personnel to obtain ePHI during emergencies when normal access methods are unavailable. The HHS Security Series on Technical Safeguard notes, ”Access controls are necessary under emergency conditions, although they may be very different from those used in normal operational circumstances. Covered entities must determine the types of situations that would require emergency access to an information system or application that contains EPHI.” The procedures that allow access are documented to include specific instructions for cases like power outages, cyberattacks, or other crises that pose a risk to standard operations. 

How it works

1. Emergency access procedures are preestablished protocols for accessing ePHI during emergencies.
2. These procedures allow authorized personnel to bypass normal access controls when standard methods fail.
3. They are documented in advance to provide clear instructions for staff during crises.
4. Situations that may trigger these procedures include power outages, cyberattacks, or natural disasters.
5. Organizations must identify who requires emergency access and under what circumstances.
6. Staff must be trained on these procedures to ensure swift and effective implementation.
7. Emergency access often involves a "break glass" method, allowing temporary access to critical systems.
8. Logs should be maintained to document the use of emergency access for accountability and review.
9. After the emergency, access privileges should be restored to their original state.

HIPAA compliant text messaging for emergency access procedures

HIPAA compliant text messaging provides a secure way to improve response times during emergencies. Healthcare providers can share patient updates and information related to the emergency. For example, emergency department team members can receive information about the event that triggered emergency access, how long the procedure will last, and why limited access procedures are in effect. In an emergency where every second counts, it facilitates better decision-making and less confusion. 

FAQs

Who needs access to ePHI in the event of an emergency?

In an emergency, access to ePHI is typically needed by healthcare providers, emergency responders, and administrative staff who are directly involved in patient care or emergency management.

Should email be used during the initial stages of an emergency? 

Email should generally not be used during the initial stages of an emergency due to the possible loss of internet connection or power that could result in information not reaching all relevant parties. In cases where internet or power outages are unlikely impacted, email may be used. Some companies may send out alerts through multiple communication methods, such as email and text.