HIPAA - Access Control Validation Procedures 164.310(a)(2)(iii)

Overview:
Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Action Items:
1) Obtain and review procedures related to access control and validation. Evaluate the content in relation to the specified performance criteria for controlling a person’s facility access including workforce members, contractors, visitors and probationary employees. Elements to review may include but are not limited to: Methods for controlling and validating an employee’s access to the facility; Workforce members' roles and responsibilities in the access control and validation process; Frequency of reviewing lists of individuals with physical access to sensitive facilities; Methods to control visitor’s physical access to facilities
2) Obtain and review documentation demonstrating the control of visitor’s physical access to facilities. Evaluate and determine if physical controls identify visitors attempting to access facility, prevent unauthorized visitors, and grant access to authorized visitors.
3) Obtain and review documentation demonstrating control of access to software program for modification and revision. Evaluate and determine if authorized individuals, roles, or job functions are identified and validated before gaining access to software program and is in accordance with applicable procedures.
4) Obtain and review documentation demonstrating facility and software access control and validation procedures are implemented.
5) Evaluate and determine if safeguards implemented overall controls access to facility physical environment, by validating individuals roles or function before granting physical access to facility or software programs; deter and prevent unauthorized access to the facility or software in accordance with applicable policies and procedures.

Related Documents:
1) Procedures related to access control and validation
2) Documentation demonstrating the control of visitor’s physical access to facilities.
3) Documentation demonstrating control of access to software program for modification and revision.
4) Documentation demonstrating facility and software access control and validation procedures are implemented.

Additional Guidance:
The purpose of this implementation specification is to specifically align a person’s access to information with his or her role or function in the organization. These functional or role-based access control and validation procedures should be closely aligned with the facility security plan. These procedures are the means by which a covered entity will actually determine the workforce members or persons that should have access to certain locations within the facility based on their role or function.

The controls implemented will depend on the covered entity’s environmental characteristics. For example, it is common practice to question a person’s identity by asking for proof of identity, such as a picture ID before allowing access to a facility. In a large organization, because of the number of visitors and employees, this practice may be required for every visit. In a small doctor’s office, once someone’s identity has been verified it may not be necessary to check identity every time he or she visits, because the identity would already be known.

Sample questions for covered entities to consider:
- Are procedures developed and implemented to control and validate a personaccess to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision?
- Do the procedures identify the methods for controlling and validating an employee’s access to facilities, such as the use of guards, identification badges, or entry devices such as key cards?
- Do the procedures also identify visitor controls, such as requiring them to sign in, wear visitor badges and be escorted by an authorized person?
- Do the procedures identify individuals, roles or job functions that are authorized to access software programs for the purpose of testing and revision in order to reduce errors?
- Does management regularly review the lists of individuals with physical access to sensitive facilities?