What is the Availability of ePHI?

Under the HIPAA Security Rule, covered entities and business associates must (among other things) do the following: 

Ensure the confidentiality, integrity, and availability of all electronic protected health information that they create, receive, maintain, or transmit.

“Availability” means the property that data or information is accessible and useable upon demand by an authorized person.

What Can Covered Entities and Business Associates Do to Ensure ePHI Availability?
Covered entities and business associates must conduct security risk analyses to identify and assess potential threats and vulnerabilities to the availability of all ePHI that they create, receive, maintain, or transmit. Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the availability of ePHI.

What are Access Measures That Ensure the Availability of ePHI?

Implementing proper access measures can also ensure the availability of ePHI. These measures include access authorization measures; access establishment and modification measures; and access control and validation procedures.

A covered entity or business associate implements access authorization measures by implementing policies and procedures for granting access to ePHI to authorized persons, through workstations, transactions, programs, processes, or other mechanisms. Granting access authorization ensures that authorized personnel who need PHI, have access availability to that ePHI. 

A covered entity or business associate implements access establishment and modification measures by developing policies and procedures that establish, document, review, and modify (including terminate) a user’s right of access to a workstation, transaction, program, or process. Access establishment and modification measures ensure that only those individuals to whom ePHI must be available, are given access to that ePHI.

Access control and validation procedures require covered entities and business associates to control and validate a person’s access to facilities based on their role or function. These procedures ensure that PHI is available to these individuals only to the degree that the PHI must be available. 

Availability of ePHI and Disaster Recovery Planning
“Availability of ePHI” is a key concept in contingency planning, including data backup and disaster recovery planning. Covered entities and business associates should consider using a cloud service provider (CSP) to back up their data. Recovery of ePHI might be easier for data that is stored on the cloud rather than on a CE's or BA’s own servers because cloud providers generally offer multiple redundancy. “Redundancy”  means that ePHI is copied, updated, and stored on servers at multiple locations. Therefore, if a disaster affects one of a CE’s or BA’s locations, ePHI will still be available from other locations..