Emergency Access to Health Information during COVID-19

Now, more than ever, healthcare professionals are moving quickly and require access to information they’ve never needed before.

Utilize this guide to formalize, implement, and create increased security for your whole team. Download via the button below.

Example Scenario: The orthopedics unit at one hospital has been converted to an ICU. The ortho unit has been transferred to a field hospital. The employees’ EMR access is normally limited to the facility and unit they work at. However, they have not received access at their new location. They are sharing a group login and password or downtime procedures until their new access is provisioned.

During the COVID-19 response or a long-term disaster, workforce access security needs may change based on work reassignments requiring new levels of access in one or more units, facilities, or for those working from remote locations.

There are policy exception options to consider when there is a need to elevate access for multiple groups of users.  An emergency access “Break the Glass” (BtG) process should be part of your emergency operations or disaster recovery plan, which includes exercising it on a regular basis to work out a workflow or technical issues.

Below you will find a few steps for your identity access management (IAM), enterprise risk, legal, and operations teams to help you design a “break that glass” process which can provide flexible secure access to critical software applications.

Workforce members should be able to move from the unit, facility, or work remotely with minimal work interruption and still comply with privacy and security safeguards.


During normal operations, healthcare workers are provided only the access they need to support their job function. However, as essential workforce members are supporting the COVID-19 response, there may be policy exceptions which require the elevation of access for multiple groups of users. Note, that this method of break the glass is not the EMR alert which users receive when accessing a sensitive part of a patient’s record. The context of break the glass is the elevation of access of groups of users to support a mass casualty or public health event such as the COVID-19 response. 

A well-designed break the glass process will reduce policy, operational, and technical barriers to patient information; which if not used, can cause more harm to the patient than the original safeguard. 

They should not be a work around when one user needs extra access, a co-worker is absent, or as a workaround for a poorly designed identity access management process. HIPAA still requires maintaining minimum necessary access, strong passwords, and audit and monitoring controls. Electronic prescriptions for controlled substances still require multi-factor authentication.

Next Steps:

  1. Assemble your information technology and identity access management teams, clinical application SMEs, EMR vendor(s), privacy and security officials, and operations supervisors to co-design a Break the Glass policy and complementary process for system and database administrators, EMR administrators, and essential workforce users who will be assigned to Break the Glass security access.

  2. Create policy exception justification for the use of BtG process.

    a) Transferring staff members to different department, role, or facility.

    b) Provisioning bulk remote workers.

    c) Information technology department requires additional system administrators to support an incident.

    d) Onboarding large groups of new workforce members to assist with response.

  3. Consider requirements of providing bulk elevated access to using pre-staged roles, facilities, departments, and groups within Active Directory, remote VPN group, multi-factor authentication, and the critical applications in scope.

  4. Create predetermined documented process with established criterion and approval process to activate BtG. (Think 2 -3 executive level approval like nuclear codes.)

  5. Create criteria for activating the Break the Glass process and backend prewritten scripts to run upon activation of the BtG procedure to automate the process.

  6. Extend audit trails with longer retention periods. Back up audit trails and include offsite from originating location.

  7. Present design to leadership for approval.

  8. Test the implementation and update issues.

  9. Train all impacted workforce members on their role during BtG process.

  10. Exercise the Break the Glass process.


In preparation for a global Coronavirus (COVID-19) pandemic, Wakefield Brunswick began collaborating with the international healthcare community at the beginning of January 2020. Since then, we’ve authored and co-created numerous clinical, procedural, and advisory resources in-use at hospitals across North America.

WE ARE CONSTANTLY UPDATING OUR FREE RESOURCE LIBRARY ON OUR WEBSITE…

View our COVID-19 Resource Collection and our Risk & Resiliency Resource List.

Upcoming updates will include lessons learned and resources regarding staffing, triggers for decision support, and continuity of operations.

Have a question? Send us an email at team@wakefieldbrunswick.com.

WORK COLLABORATIVELY. ACT DECISIVELY.

The WB Team

Disclaimer: We at Wakefield Brunswick feel strongly that in order to effect positive outcome change in this critical time, conveying information in a timely manner is critical. We will continue to follow the advice of medical experts and to disseminate actionable information as fast as possible. We further understand that this will necessitate periodic revisions and clarifications of some of our recommendations. Please remain flexible to update your protocols with these modifications if and when they become necessary.