DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The Security Rule defines physical safeguards as “physical measures,
policies, and procedures to protect a covered entity’s electronic information
systems and related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.”
There are four physical safeguard security standards. These are:
1. Facility access controls
2. Workstation use
3. Workstation security
4. Device and media controls
This article covers the first of these standards, the Facility Access Controls Standard. This standard requires covered entities and business associates to: “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
A facility is defined in the Security Rule as “the physical premises and the interior and exterior of a building(s)”.
The Facility Access Controls standard has four implementation specifications - that is, the regulations require covered entities and business associates to implement four specific requirements to meet the standard. These requirements are:
1. Contingency Operations (Addressable)
2. Facility Security Plan (Addressable)
3. Access Control and Validation Procedures (Addressable)
4. Maintenance Records (Addressable)
This article covers each of the requirements.
1. Contingency Operations. This requirement obligates covered entities and business associates to "Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency."
These "procedures" consist of reasonable steps taken by an organization to ensure that, in the event of a disaster or emergency requiring operation in emergency mode, appropriate workforce members can enter the facility to take necessary actions. What necessary actions? The actions outlined in the organization's Disaster Recovery Plan procedures and Emergency Mode Operation Plan procedures.
What are examples of "reasonable steps"?
1. Allowing only authorized workforce members or business associates access to facilities to support restoration of lost data. The Disaster Recovery Plan should identify which individuals are allowed such access.
2. Defining workforce members' roles in the Disaster Recovery Plan
3. Addressing ePHI systems and electronic media in the Emergency Action Plan - specifically, preparing an asset inventory.
5. Based on the Emergency Mode Operations Plan, a entity will allow authorized workforce members to enter its facilities to enable continuation of processes and controls that protect the confidentiality, integrity, and availability of ePHI while operating in emergency mode.
5. Define workforce members' roles in the Emergency Mode Operations Plan
6. Ensure that the Emergency Mode Operations Plan defines how the actions taken by these workforce members are tracked and logged, and how unauthorized access can be detected and prevented.
7. Require that only authorized workforce members are permitted to administer or modify processes and controls that protect the security of ePHI.
8. Define such workforce members and their roles in the Emergency Mode Operations Plan.
Guidance: Procedures to Consider for Inclusion in the Disaster Recovery Plan
- Develop and implement a Disaster Recovery Plan. Include in the plan the names and job titles of individuals who are authorized to enter your facility to support restoration of lost data. Indicate in the plan the contact information for each person, along with a description of what role the individual will play in restoring lost data.
- Create a document (to be included as part of the Disaster Recovery Plan) that describes permitted or required methods of entry to the facility in the event of an emergency. The document should ideally provide for at least two methods of entry. If, for example, power to the facility has been knocked out, the organization may wish to establish manual key entry as a method of access. The document can contain these measures:
- Ensure those individuals identified in (1) can enter the facility (e.g., provide these individuals with keys).
- Confirm the identity of each individual who is permitted to enter the facility before allowing that person entry into the facility (e.g., ask them to show a badge or other proof of ID).
- If the individual is an employee of a business associate, confirm the individual’s identity and have that person sign the front desk log, and have them note their time of entry and time of exit.
- Escort business associate workers who are entering the facility for the first time to the area where they must perform their job duties.
- If you deem it appropriate, use HIPAA-compliant surveillance to monitor the activities of the authorized workforce members or business associates.
- If an authorized workforce member or business associate is unable to perform his or her restoration of lost data function, the individual should contact the Privacy or Security Officer to notify them of this fact, and should request further instruction.
2. Facility Security Plan. The Facility Security Plan requirement states, "Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.” (45 CFR 164.310(a)(2)(ii)).
To implement a facility security plan, an organization can take a variety of tamper-proofing measures to ensure unauthorized individuals cannot gain access to the facility and its equipment.
These measures can include seals, locks, and other deterrents that both discourage and detect any attempts at tampering. Integrating advanced security measures such as alarm systems and monitoring can further enhance the facility’s protection against theft and unauthorized activities.
Electronic badges, access codes, locks, and security personnel can be used to regulate and restrict entry to your facility.
A Word About Alarms and Alarm Systems
The HIPAA regulations do not specifically require alarm systems. If, right now, an organization does not have any of the above measures, (badges, locks, seals, access codes, monitoring, warning systems, or other deterrents against tampering or other measures to regulate and restrict entry to your facility), the organization should strongly consider the purchase and installation of an alarm, alarm system, or monitoring system.
Which alarm, alarm system, or monitoring system you would want to install, depends on your risk profile. For example, if your facility is located in a high-crime area, or you have experienced break-ins or theft of equipment, you might want to consider installing a more powerful/robust alarm or monitoring system than someone in a low-crime area with little likelihood of theft might need. If having an alarm system is likely to contribute to protecting electronic protected health information, it is reasonable and appropriate to have one. If you already have more advanced security measures in place to prevent tampering and theft and to restrict access, the alarm might not make a contribution to protecting ePHI beyond what measures you already have. If, for the sake of example, the sole measure you have to protect the physical security of your facility is a lock for the front door, an alarm system would likely make a contribution to protecting ePHI, and it (and other monitoring systems) should be strongly considered
3. Access Control and Validation Procedures. The "Access Control and Validation Procedures" requirement states, “Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.” 45 CFR 164.310(a)(2)(iii).
This requirement is designed to protect the physical facility housing the ePHI and software programs, through "people controls" - control and validation of facility access based on role or function, and control of visitor access.
Visitor controls include:
1. Requiring visitors to sign in (front desk log)
2. Requiring visitors to present a government-issued ID or other photo ID
3. Requiring visitors to wear badges
4. Providing a security escort for visitors.
These measures ensure that visitors are not permitted entry at will, without monitoring when they come in, who they are, or what their purpose is.
Entities should adopt and implement visitor control procedures that are reasonable and appropriate for their environment. For example, when a visitor with whom a medical practice is familiar enters the facility, the practice can require the visitor to sign a front desk log. If a visitor is someone with whom the practice is not familiar, the practice could require both presentation of photo ID and front desk log signing.
Having visitors log in and out using a front desk visitor log is not required, but as a practical matter and matter of best practice, the measure is encouraged. Say that a breach of unsecured PHI occurs. Ten minutes before the breach, two people unknown to the practice entered the building. There are in this hypothetical situation, no visitor controls present - no one is required to show their photo ID, and no one is required to sign in or sign out at the front desk. If these two 2 people caused the breach, the practice may have failed to implement adequate visitor controls.
4. Maintenance Records. The Maintenance Records requirement states, “Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).” 45 CFR 164.310(a)(2)(iv).
To implement this requirement, an organization should develop policies and procedures requiring the keeping and updating of a log of repairs and modifications related to security. The repairs and modifications to be updated include repairs to the building components relating to security. These components include locks, hardware, and doors. The log should also note when security upgrades are made, including upgrades to alarms and monitoring systems.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article