(2) Implementation specifications:

(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

 Tell Me More:

For the maintenance records implementation specification, covered entities must address implementing policies and procedures to document repairs and modifications to the physical components of a facility that are related to security, for example, hardware, walls, doors, and locks.  It is important to monitor any changes to physical safeguards so as to ensure that the safeguards continue to be effective as intended.   It is critical to monitor all changes to the physical environment and maintain a record of such changes.

Questions to consider include: 

  • Has the organization implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, walls, doors, and locks)?
  • Does the organization have a procedure to retain system maintenance records?
  • Does the organization have a procedure to maintain physcal access authorization records?
  • Are logs maintained of the repairs and modifications to the physical facility that may have an impact on security? The log also should record who performed the work and what access they were granted for purposes of the work.
  • Are the logs reviewed to ensure the access to systems was appropriate and to verify that the changes were made in an appropriate fashion? This is necessary to ensure ongoing security.
  • Are the logs reviewed to ensure that any necessary changes to the organization’s security procedures resulting from the repairs or modifications are made?
  • Are procedures in place to ensure personnel performing technical system maintenance activities are supervised by authorized/knowledgeable individuals, and that operational personnel are appropriately authorized to access systems?  Are these procedures documented?

complete set of HIPAA Security Policies and Procedures may be purchased here.

References:

Series Navigation<< 164.308(a)(3)(i) Administrative safeguards – Standard: Workforce security164.312(e)(2)(i) Standard: Transmission security – Integrity controls >>