This entry is part 31 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

 (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Tell Me More:

For the facility security plan implementation specification, covered entities must address implementing policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

The covered entity and business associate needs to consider implementing a process to assess the overall physical security needs of the covered entity, including facility location, layout, design, and construction. For a small organization, e.g., solo practice physician office, this may be straightforward and involve simply locking the doors when no workforce member is in the office. In a large organization, this can be a complex task, especially if the facility is open to the public around the clock, e.g., a hospital.

Facility access controls, like any security measure, must seek to balance security levels with ease-of-use.  To do this, workforce member feedback is invaluable in making determinations of controls implemented—however, reasonableness and appropriateness must always be evaluated in light of the specific organization’s environment.  Some simple measures may provide dramatic improvements in security, and smaller organizations in particular might want to focus on those initially.  Adding locks, locking doors, and identifying visitors by badge are simple measures than can provide major improvements.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Has the organization developed and implemented policies and procedures to safeguard the facility and equipment where electronic PHI is stored or accessed from unauthorized physical access?
  • Does your organization have a current facility security plan? Is it up to date with your current facility design? If not, you will need to develop or update the plan.
  • Does the plan cover who can access each portion of the facility (facilities)? Does access vary depending on circumstances, e.g., does it change during emergency mode operations? See also Implementation Specification: Authorization and/or Supervision (Addressable) and Implementation Specification: Emergency Mode Operation Plan (Required).
  • Does the plan discuss how equipment is protected, including who can access each machine? See also Implementation Specification: Authorization and/or Supervision (Addressable), Standard: Device and Media Controls.  Is it up to date and consistent with your equipment inventory? Does it address all equipment, including PDAs, cellphones, and medical equipment?
  • Does the plan adequately address access to paper-based PHI? Recall that the Privacy Rule requires you to keep paper-based PHI secure.
  • Is the plan reviewed and updated on a regular basis? This should be part of your ongoing risk analysis.


Series Navigation<< 164.308(a)(3)(ii)(A) Standard: Workforce security – Authorization and/or supervision164.308(a)(3)(i) Administrative safeguards – Standard: Workforce security >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.