(2) Implementation specifications:
(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Tell Me More:
For the access control and validation procedures implementation specification (which is addressable), covered entities and business associates must address implementing procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Consider limiting physical access to appropriately authorized individuals. In a small organization, it is likely that all workforce members need access to all portions of the facility and, very likely, PHI – that is both paper and electronic. In a larger organization, job functions will be more specialized and offices physically separated. In such an organization it is important to ensure that workforce members’ access is limited. These limitations should focus on keeping PHI secure. Workforce members should be granted limited access to locations that have PHI on an as needed basis. Workforce members also should be granted access to software and ePHI on an as needed basis. Access may be controlled using tokens, card keys, biometrics, and passwords, among other approaches.
Questions to consider include:
- Does the organization have procedures to control and validate a workforce member’s access to facilities?
- Has the organization implemented procedures within the facility to sign in visitors and provide escorts, if appropriate?
- Has the organization made a determination of which job functions need access to each part of the facility and to each software program and related ePHI? Controlling physical access to portions of the facility will help to prevent inappropriate access to PHI – both ePHI and other PHI. See also Implementation Specification: Authorization and/or Supervision (Addressable)
- Are appropriate and adequate approaches used to limit physical access within the organization? The organization should evaluate access on an ongoing basis.
- How are visitors handled, including maintenance personnel, consultants, and other contractors? Temporary access and monitoring access for such individuals can be a complex issue for a larger organization with a great deal of public access.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems