HIPAA Emergency Access: How to Create a Compliant Procedure for Your EHR System (45 CFR § 164.312(a)(2)(ii))
Executive Summary
When emergencies strike, healthcare providers must be able to access critical patient information without delay but still remain compliant with HIPAA. Section § 164.312(a)(2)(ii) of the Security Rule mandates that covered entities establish and implement procedures for emergency access to electronic protected health information (ePHI). This requirement, commonly known as the “break glass” provision, ensures that medical care isn’t delayed during crises while maintaining a documented trail of access. For small practices, balancing speed and security is a challenge but one that can be addressed with clear policies, system-level safeguards, and simple staff training. This guide walks through what’s required, how to build a compliant emergency access procedure, and how to prepare for real-world scenarios that test your readiness.
Introduction
Whether it’s a cardiac arrest in the waiting room, a power failure that disables your local servers, or an urgent call from a hospital treating your patient, emergencies happen in healthcare. In those moments, your EHR system needs to grant rapid access to ePHI even to users who might not normally have that level of privilege.
But this access must be controlled, limited, and documented, or your practice could be found in violation of the HIPAA Security Rule. The emergency access provision is designed to support patient care, not bypass security altogether.
If your EHR has a “break glass” function, or you’ve never configured one, now is the time to build a simple, compliant procedure that protects patients and your practice alike.
What § 164.312(a)(2)(ii) Actually Requires
Under the HIPAA Security Rule, § 164.312(a)(2)(ii) requires:
“Procedures for obtaining necessary electronic protected health information during an emergency.”
This is part of the Access Control standard within the Technical Safeguards. It is a required specification not addressable and applies to all covered entities and business associates that maintain or access ePHI.
What does this mean in practice? Your EHR and access policies must support:
- Designated emergency access roles or mechanisms
- Controlled, logged access to ePHI in emergencies
- Staff awareness and training on when and how to use it
- Post-event audits and review of access
These procedures must be documented and integrated into your broader HIPAA security plan.
Why It Matters in Real Life
When emergencies happen, time is critical. If your access controls are too rigid, patient care suffers. But if emergency access is too loose or undocumented, you risk:
- Unauthorized access to sensitive data
- Failure to meet audit requirements
- Civil penalties for negligent safeguards
- Loss of trust among patients and staff
A well-crafted emergency access procedure offers a middle ground: rapid access with accountability.
A Case Study: No Emergency Procedure, No Defense
In 2021, a mid-sized pediatric clinic experienced a local network outage during a regional power disruption. A provider needed to view a child’s allergy and prescription history before transferring them to a nearby ER. The clinic’s EHR required VPN access, which was down. A nurse used a personal device to access a cloud-based backup, downloading and emailing the child’s records to the hospital.
Although care was provided, the child’s parents filed a complaint with OCR after discovering their data had been transmitted over unencrypted email. The practice lacked a formal emergency access procedure and couldn’t demonstrate that the nurse’s access was sanctioned or controlled.
OCR issued a monetary penalty and required the clinic to implement a comprehensive emergency access protocol, including policy documentation, staff training, and technical safeguards.
This example shows that even good intentions can violate HIPAA if procedures aren’t clearly defined and followed.
How to Build Compliant Emergency Access Procedure
Creating an emergency access protocol doesn’t require complex technology, but it must include clear steps, assigned responsibilities, and system-level controls.
1. Define What Constitutes an “Emergency”
Start by defining the types of events that justify break-glass access:
- Patient safety risk (e.g., unconscious patient needs records)
- Natural disaster or power outage affecting normal systems
- Network or VPN failure
- System downtime due to patching or cyberattack
- Urgent care coordination during off-hours
Avoid vague terms like “when needed” and ensure your staff knows the threshold for triggering emergency access.
2. Assign Emergency Access Roles
Your EHR system should include privileged accounts, often called "break glass accounts" assigned to:
- Physicians
- Nurse Practitioners
- Medical Directors
- Privacy Officers (as supervisors)
These roles should allow temporary access to all patient records, only in emergency scenarios, and require additional authentication or confirmation.
Ensure that:
- Each use is logged
- The user is identified individually
- The event is auditable and reviewed after the fact
3. Use EHR Configuration Tools
Most modern EHR platforms include emergency access capabilities:
- Epic uses “break-the-glass” alerts, requiring reason entry
- Cerner flags and logs elevated access events
- Athenahealth allows admin override with two-factor approval
- eClinicalWorks supports emergency profile access tracking
Work with your vendor to configure:
- Alert banners when break-glass access is triggered
- Mandatory reason entry fields
- Time-limited session control
- Automated audit trail for each use
4. Document the Procedure
Your policy should describe:
- When emergency access may be used
- Who may use it
- How to log the access
- What system alerts are generated
- How to report improper access
- When a post-event review must occur and by whom
Store this policy with your HIPAA Security documentation and ensure it’s updated as systems evolve.
5. Train Your Staff
- What qualifies as an emergency
- How to access systems using emergency protocols
- The requirement to document each access
- That misuse may result in sanctions
Use simple scenarios during training to illustrate correct use and consequences of improper access.
6. Conduct Regular Testing
Include emergency access in your periodic risk assessment and run drills at least annually. Review:
- Are roles and permissions still correct?
- Are alerts functioning?
- Are logs accurate and retrievable?
- Do staff remember the process?
Update your procedure based on lessons learned during testing.
Common Pitfalls
- No policy exists emergency access is assumed to be intuitive
- Shared emergency credentials with no individual tracking
- Failure to review audit logs after emergency events
- EHR not configured for break-glass access
- Staff unaware of how or when to trigger emergency access
- No expiration on emergency permissions granted temporarily
Expert Tips for Small Practices
- Use named break-glass accounts tied to specific users
- Include emergency access logs in your quarterly HIPAA audits
- Create a paper backup process in case of total system failure
- Require staff to notify a Privacy Officer immediately after emergency access
- Set up auto-notification emails from your EHR when emergency access is used
- Keep your emergency access users to no more than 2–4 individuals to limit risk
- Document all post-incident reviews in writing, signed by the compliance team
Sample Checklist: Emergency Access Procedure Readiness
| Task | Responsible Party | Frequency |
|---|---|---|
| Identify emergency use cases | Privacy Officer | Annually |
| Assign emergency roles in EHR | System Admin | Onboarding |
| Document written policy | HIPAA Security Officer | Review every 12 months |
| Configure EHR break-glass alerts | EHR Vendor or IT Lead | Initial setup + updates |
| Train staff on procedures | HIPAA Training Coordinator | Annually |
| Review audit logs for emergency use | Privacy Officer | After each event |
| Test access with simulated event | Practice Manager + IT | Semi-annually |
Regulatory References and Official Guidance
Concluding Recommendations and Next Steps
An emergency access procedure is not just a HIPAA checkbox, it’s a life-saving and liability-reducing safeguard. Your EHR should support it. Your staff should understand it. Your compliance team should document and review it. Whether it’s a system outage or a critical patient event, your ability to respond appropriately while protecting patient privacy is a direct reflection of your preparedness.
To move forward:
- Review your current access control configurations
- Work with your EHR vendor to implement or refine break-glass features
- Document your procedure and assign clear roles
- Test and train regularly to ensure readiness
- Incorporate emergency access into your broader risk management framework
When handled correctly, emergency access becomes a strength not a vulnerability for your practice.