FacebookTwitterLinkedInEmailPrint
This entry is part 44 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

 (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Tell Me More:

For the access control and validation procedures implementation specification (which is addressable), covered entities and business associates must address implementing procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Consider limiting physical access to appropriately authorized individuals. In a small organization, it is likely that all workforce members need access to all portions of the facility and, very likely, PHI – that is both paper and electronic. In a larger organization, job functions will be more specialized and offices physically separated. In such an organization it is important to ensure that workforce members’ access is limited. These limitations should focus on keeping PHI secure. Workforce members should be granted limited access to locations that have PHI on an as needed basis. Workforce members also should be granted access to software and ePHI on an as needed basis. Access may be controlled using tokens, card keys, biometrics, and passwords, among other approaches.

Questions to consider include: 

  • Does the organization have procedures to control and validate a workforce member’s access to facilities?
  • Has the organization implemented procedures within the facility to sign in visitors and provide escorts, if appropriate?
  • Has the organization made a determination of which job functions need access to each part of the facility and to each software program and related ePHI? Controlling physical access to portions of the facility will help to prevent inappropriate access to PHI – both ePHI and other PHI. See also Implementation Specification: Authorization and/or Supervision (Addressable)
  • Are appropriate and adequate approaches used to limit physical access within the organization? The organization should evaluate access on an ongoing basis.
  • How are visitors handled, including maintenance personnel, consultants, and other contractors? Temporary access and monitoring access for such individuals can be a complex issue for a larger organization with a great deal of public access.

complete set of HIPAA Security Policies and Procedures may be purchased here.

 

References:

Series Navigation<< 164.308(a)(5)(i) Administrative safeguards – Standard: Security awareness and training164.308(a)(7)(ii)(A) Standard: Contingency plan – Data backup plan >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint