This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Access Control Emergency Access

Reference: § 164.308(a)(2)(ii)
Last Updated: July 5, 2023


Create access during emergency situations while protecting EPHI as required by the Emergency Access Specification.


Preliminary Actions

The Security Officer and the management team will meet once per year to identify potential situations that may require emergency access. The outcome of this meeting shall cover the following areas:

  • Emergencies that may require access to ePHI.
  • For each emergency identify:
    • Primary and Secondary responsible points of contact and authorization
    • Systems that will require access
    • Information that will be accessible on a per system basis
  • Username for emergency accounts shall start with the 911 designation in order to facilitate tracking of these accounts. Additional character should describe emergency such as fire, flood, etc. For example, a valid username may be: 911Fire2017
  • Strong passwords shall be implemented for every account. Password selection shall be the responsibility of the Primary designator for that emergency.
  • Account Permissions should be set to the minimum access needed to take care of actions during emergencies.
  • Systems with emergency actions should have the capability to track when the emergency action access account was used and what information they access.


Prior to using the emergency access the Security Manager or designated representative should have declared an emergency. If neither of these persons is available, then the person responsible for access should document the attempts to contact a designated person or the reason to override such attempts.

Once an emergency has been declared access shall be monitored and kept open until such time that the emergency is under control and access is no longer needed.

Post Actions

  • Disable or delete the emergency account(s) that were used to prevent re–use.
  • Conduct audit of system and access given. Capture individuals given access, data accessed, emergency conditions and any other relevant data.
  • Review actions and make changes to procedures if needed.
  • Reconcile data if any new entries were made.
  • Change passwords.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram