Facility Access Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

This is the first Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: contingency operations; facility security plan; access control and validation procedures; and maintenance records. Each of these implementation specifications is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

The Security Official is responsible for ensuring that this implementation specification is in place. Facility access controls require that a covered entity implements policies and procedures to limit physical access to its electronic protected health information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. The policies and procedures should control access to and within the physical premises of the covered entity. The four implementation specifications listed above, each of which will be covered in a separate posting, are “applicable to an entity’s business location or locations,” and the facility at each location “includes physical premises and the interior and exterior of a building.” [68 Federal Register 8353 and 8354, respectively]

A covered entity will develop and apply policies and procedures for each of the addressable implementation specifications based on outcomes of the covered entity’s risk analysis and other factors, such as how each physical safeguard facility access controls implementation specification relates to technical and administrative safeguards policies and procedures, and especially to the covered entity’s disaster recovery plan.

Another factor for consideration relates to whether a covered entity’s premises are located in single business dwellings or in a multiple business office dwellings. A covered entity in a single business dwelling must implement the standard so that the physical premises are protected, internally and externally. Covered entities in multiple business office structures must implement the standard, taking into consideration, that it “retains responsibility for considering facility security even where it shares space within a building with other organizations. Facility security measures taken by a third party must be considered and documented in the covered entity’s facility security plan, when appropriate.” [68 Federal Register 8353] Accordingly, a covered entity in a multiple business office structure should acquire a copy of the landlord’s building security plan and include it in the covered entity’s security plan as an exhibit or appendix item. The covered entity’s physical security plan should incorporate provisions of the landlord’s building security plan by reference.