FacebookTwitterLinkedInEmailPrint
This entry is part 33 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

 Tell Me More:

For the maintenance records implementation specification, covered entities must address implementing policies and procedures to document repairs and modifications to the physical components of a facility that are related to security, for example, hardware, walls, doors, and locks.  It is important to monitor any changes to physical safeguards so as to ensure that the safeguards continue to be effective as intended.   It is critical to monitor all changes to the physical environment and maintain a record of such changes.

Questions to consider include: 

  • Has the organization implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks)?
  • Does the organization have a procedure to retain system maintenance records?
  • Does the organization have a procedure to maintain physcal access authorization records?
  • Are logs maintained of the repairs and modifications to the physical facility that may have an impact on security? The log also should record who performed the work and what access they were granted for purposes of the work.
  • Are the logs reviewed to ensure the access to systems was appropriate and to verify that the changes were made in an appropriate fashion? This is necessary to ensure ongoing security.
  • Are the logs reviewed to ensure that any necessary changes to the organization’s security procedures resulting from the repairs or modifications are made?
  • Are procedures in place to ensure personnel performing technical system maintenance activities are supervised by authorized/knowledgeable individuals, and that operational personnel are appropriately authorized to access systems?  Are these procedures documented?

complete set of HIPAA Security Policies and Procedures may be purchased here.

References:

Series Navigation<< 164.308(a)(3)(i) Administrative safeguards – Standard: Workforce security164.312(e)(2)(i) Standard: Transmission security – Integrity controls >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint