Overview:
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Action Items:
1) Obtain and review policies and procedures regarding facility access control. Evaluate the content in relation to the relevant specified performance criteria regarding physical access to electronic information systems and use of facilities and equipment that house EPHI.
2) Evaluate and determine if policies and procedures identify the countermeasures implemented to control physical access and to detect, deter, and/or prevent unauthorized access and unlimited access to electronic information systems and facilities where systems are housed. Elements to review may include but are not limited to: Workforce members’ roles and responsibilities in facility access control procedures; Management involvement in the facility's access controls procedures; The process of how authorization credentials for facility access are issued; The process of removing workforce members’ authorization credentials for physical access when such access it is no longer required; Identification of how visitors’ access is monitored; Methods for controlling and managing physical access devices; Facilities and areas that have physical access control implemented to safeguard ePHI.
3) Obtain and review documentation of workforce members with authorized physical access to electronic information systems and the facility or facilities in which they are housed. Evaluate and determine if authorized workforce members are listed in areas where electronic information system resides; listed authorized members have been approved by appropriate management; list of authorized workforce members are reviewed on a continuous basis; and removed when access is no longer required.
4) Obtain and review documentation of procedures for granting individuals access to entity facility or facilities where electronic information systems are housed. Evaluate and determine if physical access authorization is enforced at entry/exit points of the facility; individual access authorization is verified before granted access to facility; and physical access audit logs of entry/exit points are maintained and reviewed on continuous basis.
5) Obtain and review documentation of visitor physical access to electronic information systems and the facility or facilities where it is housed. Evaluate and determine if visitors are supervised in locations where electronic information resides and if activities are documented and monitored.
Related Documents:
1) Policies and procedures regarding facility access control.
2) Documentation of workforce members with authorized physical access to electronic information systems and the facility or facilities in which they are housed.
3) Documentation of procedures for granting individuals access to entity facility or facilities where electronic information systems are housed.
4) Documentation of visitor physical access to electronic information systems and the facility or facilities where it is housed.
Additional Guidance:
Sample questions for covered entities to consider:
- Are policies and procedures developed and implemented that address allowing authorized and limiting unauthorized physical access to electronic information system facility or facilities in which they are housed?
- Do the policies and procedures identify individuals (workforce members, busines associates, contractors, etc.) with authorized access by title and/or job function?
- Do the policies and procedures specify the methods used to control physical access such as door locks, electronic access control systems, security officers, or video monitoring?
Article ID: 463
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-facility-access-controls-164-310-a-1-463.html