|
facility
access controls (HIPAA)
Covered
entities must implement facility access controls as a
part of their physical
safeguards. The HIPAA Security
Rule defines that as "policies and procedures to
limit physical access to its electronic information systems
and the facility or facilities in which they are housed, while
ensuring that properly authorized access is allowed."
Four implementation
specifications are included in this standard, all of them
addressable:
- access control
and validation records, and
The first embraces
the establishment -- and if necessary implementation -- of
"procedures that allow facility access in support of
restoration of lost data under the disaster recovery plan
and emergency mode operations plan in the event of an emergency."
(Both types of plan are required implementation specifications
of the contingency plan
standard.)
The second includes
policies and procedures "to safeguard the facility and
the equipment therein from unauthorized physical access, tampering,
and theft."
The third relates
to policies and procedures that "validate a person's
[physical] access to facilities based on their role or function,
including visitor control, and control of access to software
programs for testing and revision." This is the physical
analogue of the "need to know" information access
limits described by the minimum
necessary rule.
Taken together,
the second and third could include such measures as sign-in
and/or escort for visitors to the areas of the facility that
contain information systems hardware or software. But this
would depend on the covered entity's particular circumstances.
While some sort of physical access control is obviously necessary
for every facility, the particulars will vary considerably.
(For that reason, as noted, all of these are addressable rather
than required specifications.)
The last of the
four covers policies and procedures "to document repairs
and modifications to the physical components of a facility
which are related to security (for example, hardware, walls,
doors and locks).
As with all the
other specifications, policies and procedures are required
to be "formal, documented" ones.
DHHS has noted
that a covered entity retains a responsibility for considering
building security even when it shares space within a facility
used by other organizations. (Final Rule, p.121) If facility
security is in part based on the efforts of third parties
(e.g., the building's own security force), that must be documented.
And, of course, such reliance must be "reasonable and
appropriate" to the circumstances.
See also:
|
