In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.
What to Do
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
How to Do It
The Security Official is responsible for ensuring that this implementation specification is in place. The covered entity should establish a plan that identifies who controls access to the covered entity’s facility, and which persons have authorized access to software and systems that contain electronic protected health information. In most covered entities, the plan will define access based on function and need. Again, function and need will be outcomes of the risk analysis, and will be inputs to workforce members’ job descriptions that are part of the Security Rule’s Administrative Safeguard Procedures. Scalability is a factor in determining function and need, as covered entities with small workforces may have broader function and need assignments than large covered entities with workforce members who specialize in narrower tasks.
Vendors—especially software and hardware vendors—may play key roles in the business operations of a covered entity, such as maintaining and updating systems periodically. It is essential that such vendors operate under a business associate agreement with the covered entity. The covered entity’s Security Official is responsible for ensuring that such vendors are aware of and adhere to the covered entity’s security policies and procedures. As mentioned above, business associates will be required to comply with the Security Rule beginning February 17, 2010.
At a minimum, a covered entity should adopt the following procedures to meet this implementation specification:
» Institute a visitor sign-in and badge system for the covered entity.
» Verify a person’s authorization to access the covered entity’s electronic systems that contain electronic protected health information.
» Escort visitors in areas containing access to electronic protected health information if there is a reason for visitors (e.g., business associate vendors) to be in such areas.
» Control workforce member access and movement within the covered entity in areas containing access to electronic protected health information.