HIPAA - Facility Security Plan 164.310(a)(2)(ii)

Overview:
Implement policies and procedures to safeguard the facility and the equipment there in from unauthorized physical access, tampering, and theft.

Action Items:
1) Obtain and review policies and procedures related to the facility security plan. Evaluate the content in relation to the specified performance criteria for safeguarding the facility and equipment therein from unauthorized physical access, tampering, and theft. Elements to review may include but are not limited to: Identification of the physical security measures in place to provide physical security protection for facilities and equipment; Workforce members' roles and responsibilities regarding the facility security plan; Inventory of the entity’s facilities that house equipment that create, maintain, receive, and transmit ePHI
2) Obtain and review documentation demonstrating that facility security plan procedures are implemented to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Evaluate and determine if implementation of the facility security plan is being followed appropriately and is in accordance with related policies and procedures.

Related Documents:
1) Policies and procedures related to the facility security plan.
2) Documentation demonstrating that facility security plan procedures are implemented to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Additional Guidance:
Facility security plans must document the use of physical access controls. These controls must ensure that only authorized individuals have access to facilities and equipment that contain EPHI. In general, physical access controls allow individuals with legitimate business needs to obtain access to the facility and deny access to those without legitimate business needs. Procedures must also be used to prevent tampering and theft of EPHI and related equipment.

To establish the facility security plan, covered entities should review risk analysis data on persons or workforce members that need access to facilities and equipment. This includes staff, patients, visitors, and business partners.

Some common controls to prevent unauthorized physical access, tampering, and theft that covered entities may want to consider include:
- Locked doors, signs warning of restricted areas, surveillance cameras, alarms
- Property controls such as property control tags, engraving on equipment
- Personnel controls such as identification badges, visitor badges, and/or escorts for large offices

In addition, all staff or employees must know their roles in facility security. Covered entities must review the plan periodically, especially when there are any significant changes in the environment or information systems.

Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented to protect the facility and associated equipment against unauthorized physical access, tampering, and theft?
- Do the policies and procedures identify controls to prevent unauthorized physical access, tampering, and theft, such as those listed in the common controls to consider the bullets above?