Description: 

164.312(a)(2)(ii) - Access Control — Emergency Access Procedure - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.


Audit

The customer is responsible for implementing policies that document the required procedures to access ePHI on AWS in an emergency. As one illustrative example, it is the customer's responsibility to decide whether it wishes to ensure that there is not only one user with access to any particular ePHI on AWS, in the event the primary user is unavailable in an emergency.


Rationale: 

In this architecture, the use of multiple AWS Availability Zones (AZs), Amazon S3 storage, and a replicated RDS database constitutes a built-in, live alternate storage and processing capability. ePHI storage is limited to the Amazon RDS database, Amazon S3 buckets, and potentially secondary EBS volumes attached to the application/web server EC2 instances, which employ storage redundancy to maintain exact copies of ePHI at all times.

AWS built-in features give the customer the ability to connect to and access its AWS account environment from any location approved and configured by the customer. This supports the capability for accessing AWS resources and ePHI data during an emergency.


Impact of Resource Type(s):

AWS::EC2::AvailabilityZone

AWS::AutoScaling::AutoScalingGroup

AWS::RDS::DBSubnetGroup

AWS::RDS::DBInstance

AWS::S3::Bucket

AWS::EC2::Subnet


References: 

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf