• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Facility Access Controls: Access Control and Validation Procedures-What to Do and How to Do It

April 28, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

What to Do

Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

How to Do It

The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity should establish a plan that identifies who controls access to the covered entity’s facility, and which persons have authorized access to software and systems that contain electronic protected health information. In most covered entities, the plan will define access based on function and need. Again, function and need will be outcomes of the risk analysis, and will be inputs to workforce members’ job descriptions that are part of the Security Rule’s Administrative Safeguard Procedures. Scalability is a factor in determining function and need, as covered entities with small workforces may have broader function and need assignments than large covered entities with workforce members who specialize in narrower tasks.

Vendors—especially software and hardware vendors—may play key roles in the business operations of a covered entity, such as maintaining and updating systems periodically. It is essential that such vendors operate under a business associate agreement with the covered entity. The covered entity’s Security Official is responsible for ensuring that such vendors are aware of and adhere to the covered entity’s security policies and procedures. As mentioned above, business associates will be required to comply with the Security Rule beginning February 17, 2010.

At a minimum, a covered entity should adopt the following procedures to meet this implementation specification:

» Institute a visitor sign-in and badge system for the covered entity.
» Verify a person’s authorization to access the covered entity’s electronic systems that contain electronic protected health information.
» Escort visitors in areas containing access to electronic protected health information if there is a reason for visitors (e.g., business associate vendors) to be in such areas.
» Control workforce member access and movement within the covered entity in areas containing access to electronic protected health information.

Tags: 20102019access control and validation proceduresaddressableAdministrative Safeguard ProceduresAmerican Recovery and Reinvestment ActARRAauthorizationbusiness associatebusiness associate agreementcontingency operationscovered entityelectronic protected health informationfacility access controlsFebruary 17functionHIPAA Administrative SimplificationHIPAA Security RuleHITECH Actjob descriptionneedphysical safeguard standardPresident Obamareasonable and appropriateRisk AnalysisSecurity OfficialSecurity Ruletamperingtheftunauthorized physical accessvendorsvisitor badge systemvisitor sign-inworkforce member. Verify a person’s authorization to access the covered entity’s electronic systems that contain electronic protected health information
No Comments
Share
0

You also might be interested in

Facility Access Controls: Contingency Operations-What to Do and How to Do It

Apr 24, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Openness and Transparency Key Privacy/Security Principle of Meaningful Use 2011 Objectives

Jun 29, 2009

On December 15, 2008, the Office of the National Coordinator[...]

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

Mar 24, 2012

March 24, 2012.   Today, the Office of Information and Regulatory[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next