(2) Implementation specifications:
(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Tell Me More:
For the facility security plan implementation specification, covered entities must address implementing policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
The covered entity and business associate needs to consider implementing a process to assess the overall physical security needs of the covered entity, including facility location, layout, design, and construction. For a small organization, e.g., solo practice physician office, this may be straightforward and involve simply locking the doors when no workforce member is in the office. In a large organization, this can be a complex task, especially if the facility is open to the public around the clock, e.g., a hospital.
Facility access controls, like any security measure, must seek to balance security levels with ease-of-use. To do this, workforce member feedback is invaluable in making determinations of controls implemented—however, reasonableness and appropriateness must always be evaluated in light of the specific organization’s environment. Some simple measures may provide dramatic improvements in security, and smaller organizations in particular might want to focus on those initially. Adding locks, locking doors, and identifying visitors by badge are simple measures than can provide major improvements.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Has the organization developed and implemented policies and procedures to safeguard the facility and equipment where electronic PHI is stored or accessed from unauthorized physical access?
- Does your organization have a current facility security plan? Is it up to date with your current facility design? If not, you will need to develop or update the plan.
- Does the plan cover who can access each portion of the facility (facilities)? Does access vary depending on circumstances, e.g., does it change during emergency mode operations? See also Implementation Specification: Authorization and/or Supervision (Addressable) and Implementation Specification: Emergency Mode Operation Plan (Required).
- Does the plan discuss how equipment is protected, including who can access each machine? See also Implementation Specification: Authorization and/or Supervision (Addressable), Standard: Device and Media Controls. Is it up to date and consistent with your equipment inventory? Does it address all equipment, including PDAs, cellphones, and medical equipment?
- Does the plan adequately address access to paper-based PHI? Recall that the Privacy Rule requires you to keep paper-based PHI secure.
- Is the plan reviewed and updated on a regular basis? This should be part of your ongoing risk analysis.
- NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems