• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Facility Access Controls: Facility Security Plan-What to Do and How to Do It

April 27, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

What to Do

Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

How to Do It

The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity must develop procedures to protect its facility and systems from “unauthorized physical access, tampering, and theft.” These policies and procedures are outcomes of the covered entity’s risk analysis pertaining to unauthorized access to its facility. Unauthorized access includes access to building exteriors and interiors, tampering, theft, intrusions, and deliberate impairment of systems, including computers and electricity supply.

The facility security plan should include procedures to safeguard these and other unauthorized access threats and vulnerabilities identified in the risk analysis. Safeguards could include locks, alarm systems, identification systems (e.g., passcard or biometric systems), anti-intrusion systems, suitable to the covered entity’s business environment and operations. Appropriate procedures do not “preclude the use of electronic security systems in lieu of, or in combination with, physical security systems.” [68 Federal Register 8353] After hours, a covered entity in a single business dwelling may find an electronic detection, alarm, and lock system sufficient, whereas a covered entity in a multiple business office dwelling with entrance guard security may find strong locks on the doors sufficient. During business hours, workforce members strategically placed may be sufficient safeguards of a covered entity’s facility. Remember, in any business environment, the receptionist plays a key role in detecting access—authorized and unauthorized—to physical facility systems and ensuring that only authorized persons have access to electronic protected health information. Whatever the solution, if should be an outcome of the risk analysis.

Tags: 20102019addressablealarm systemsAmerican Recovery and Reinvestment Actanti-intrusionARRAbiometricsbuilding exteriors and interiorsbusiness associatecontingency operationscovered entityentrance guardfacility access controlsfacility security planFebruary 17HIPAA Administrative SimplificationHIPAA Security RuleHITECH Actidentification systemsimpairment of systemsintrusionslockmultiple business office dwellingpasscardsphysical safeguard standardPresident Obamareasonable and appropriatereceptionistRisk AnalysisSecurity OfficialSecurity Rulesingle business dwellingtamperingtheftthreats and vulnerabilitiesunauthorized physical access
No Comments
Share
0

You also might be interested in

The Definition of Treatment

May 11, 2009

This posting is one of several that outline the HITECH[...]

HIPAA Final Rule: Modification of Business Associate Definition, Part (5)–Subcontractors

Feb 13, 2013

February 13, 2013.  Today, we finish examining (3)—the third paragraph[...]

HIPAA Final Rule: Enforcement–Factors for Determining Civil Money Penalties for HIPAA Violations

Feb 25, 2013

February 25, 2013.  Today, we examine factors considered in determining[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next