In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.
What to Do
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
How to Do It
The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity must develop procedures to protect its facility and systems from “unauthorized physical access, tampering, and theft.” These policies and procedures are outcomes of the covered entity’s risk analysis pertaining to unauthorized access to its facility. Unauthorized access includes access to building exteriors and interiors, tampering, theft, intrusions, and deliberate impairment of systems, including computers and electricity supply.
The facility security plan should include procedures to safeguard these and other unauthorized access threats and vulnerabilities identified in the risk analysis. Safeguards could include locks, alarm systems, identification systems (e.g., passcard or biometric systems), anti-intrusion systems, suitable to the covered entity’s business environment and operations. Appropriate procedures do not “preclude the use of electronic security systems in lieu of, or in combination with, physical security systems.” [68 Federal Register 8353] After hours, a covered entity in a single business dwelling may find an electronic detection, alarm, and lock system sufficient, whereas a covered entity in a multiple business office dwelling with entrance guard security may find strong locks on the doors sufficient. During business hours, workforce members strategically placed may be sufficient safeguards of a covered entity’s facility. Remember, in any business environment, the receptionist plays a key role in detecting access—authorized and unauthorized—to physical facility systems and ensuring that only authorized persons have access to electronic protected health information. Whatever the solution, if should be an outcome of the risk analysis.