§164.310(a)(2)(i): Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Audit Inquiry

Does the entity have policies and procedures in place that allow facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency?

Does the entity allow facility access for the restoration of lost data under the Disaster Recover Plan and Emergency Mode Operation Plan in the event of an emergency?

Obtain and review contingency operations procedures. Evaluate the content in relation to the specified performance criteria that allow facility access for the restoration of lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of all types of potential disasters.

Elements to review may include but are not limited to:
• Identification of who will need access to ePHI in the event of a disaster
• Backup up plan for access to the facility and/or ePHI
• Workforce member roles and responsibilities from implementing the contingency plan for accessing ePHI in each department, unit, etc.
• Procedures for accessing restored data at the alternate processing, storage, and work site
• Procedures for the testing contingency operations

Obtain and review documentation demonstrating contingency operation procedures currently implemented. Evaluate and determine if processes are in accordance with related policies and procedures.

Obtain and review documentation demonstrating that contingency operation procedures are tested. Evaluate and determine if testing is conducted on a periodic basis and testing results are documented, including a plan of corrective actions, if necessary.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable