What are the HIPAA Security Rule Physical Safeguards? Facility Access Controls

Modified on Fri, 25 Jul at 12:41 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

The HIPAA Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” 

There are four physical safeguard security standards. These are:

1. Facility access controls
2. Workstation use
3. Workstation security
4. Device and media controls


This article covers the first of these standards, the Facility Access Controls Standard. This standard 
requires covered entities and business associates to: “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

What is a Facility?

A facility is defined in the Security Rule as “the physical premises and the interior and exterior of a building(s)”.


What are the Facility Access Controls Standard Implementation Specifications?

The Facility Access Controls standard has four implementation specifications - that is, the regulations require covered entities and business associates to implement four specific requirements to meet the standard. These requirements are:

1. Contingency Operations (Addressable)
2. Facility Security Plan (Addressable)
3. Access Control and Validation Procedures (Addressable)
4. Maintenance Records (Addressable)


Each requirement is discussed in turn, below.

Contingency Operations


This requirement obligates covered entities and business associates to "Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency."


These "procedures" consist of reasonable steps taken by an organization to ensure that, in the event of a disaster or emergency requiring operation in emergency mode, appropriate workforce members can enter the facility to take necessary actions. What necessary actions? The actions outlined in the organization's Disaster Recovery Plan procedures and Emergency Mode Operation Plan procedures.

What are Examples of "Reasonable Steps"?

1. Allowing only authorized workforce members or business associates access to facilities to support restoration of lost data. The Disaster Recovery Plan should identify which individuals are allowed such access.
2. Defining workforce members' roles in the Disaster Recovery Plan.
3. Addressing ePHI systems and electronic media in the Emergency Mode Operation Plan - specifically, preparing an asset inventory.

4. Defining, in the Disaster Recovery Plan, how the actions taken by the workforce members in (2) above are tracked and logged, and how unauthorized access can be detected and prevented.

5. Defining in the Emergency Mode Operations Plan which workforce members are authorized to enter facilities to enable continuation of processes and controls that protect the confidentiality, integrity, and availability of ePHI while operating in emergency mode.
5. Define workforce members' specific roles in the Emergency Mode Operations Plan.
6. Ensuring that the Emergency Mode Operations Plan defines how the actions taken by these workforce members are tracked and logged, and how unauthorized access can be detected and prevented.
7. Requiring that only authorized workforce members are permitted to administer or modify processes and controls that protect the security of ePHI.


Facility Security Plan

The Facility Security Plan requirement states, "Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.” (45 CFR 164.310(a)(2)(ii)).

To implement a facility security plan, an organization can take a variety of tamper-proofing measures to ensure unauthorized individuals cannot gain access to the facility and its equipment. 

These measures can include seals, locks, locked doors, and other deterrents that both discourage and detect any attempts at tampering. Integrating advanced security measures such as alarm systems and monitoring can further enhance the facility’s protection against theft and unauthorized activities.

Electronic badges, access codes, and security personnel also serve to safeguard the facility and its equipment from unauthorized access, tampering, and theft. 

Access Control and Validation Procedures

The "Access Control and Validation Procedures" requirement states, “Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.” 45 CFR 164.310(a)(2)(iii)


This requirement is designed to protect the physical facility housing the ePHI and software programs, through "people controls" - control and validation of facility access based on role or function, and control of visitor access.

Visitor controls include:

1. Sign-in sheets/front desk sign-in and sign-out logs 

2. Requiring visitors to present a government-issued ID or other photo ID
3. Requiring visitors to wear badges
4. Providing a security escort for visitors.

These measures ensure that visitors are not permitted entry at will, without monitoring when they come in, who they are, or what their purpose is.

Entities can adopt and implement visitor control procedures that are reasonable and appropriate for their environment. For example, when a visitor with whom a medical practice is familiar enters the facility, the practice can require the visitor to sign a front desk log. If a visitor is someone with whom the practice is not familiar, the practice could require both presentation of photo ID and front desk log signing.


Document written actions taken to comply with the access control and validation procedures. For example, maintain copies of front desk logs. A best practice is to store these documents for at least 6 years from when they were created or last in effect, whichever is later. This best practice is a requirement, if an action, activity, or assessment is specfically required by HIPAA.

Maintenance Records


The Maintenance Records requirement states, “Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).” 45 CFR 164.310(a)(2)(iv)

To implement this requirement, an organization can develop policies and procedures requiring the keeping and updating of 
a log of repairs and modifications related to security. The repairs and modifications to be updated can include repairs to the building components relating to security. These components include locks, hardware, and doors. The log can also note when security upgrades are made, including upgrades to alarms and monitoring systems.  

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article