The Security Rule
T, transferred, or otherwise. But evaluating what measures are necessary for compliance, as well as the standards you must keep to ensure data security, can be a daunting task. The U.S. Department of Health and Human Services breaks down safeguards into three categories:
Administrative, Technical, and Physical. For this week’s discussion, we will be focusing the physical security measure titled Facility Access Controls, standard §164.310(a)(1)
Facility Access Controls
HIPAA compliance to the Facility Access Controls portion of physical security requires all covered entities to “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.”
Within Facility Access Controls standard, there are four specifications for implementation: Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, and Maintenance Records.
Contingency Operations
You’ve just been hit with a power surge throughout your facility – your network is down, and some of your workstations and server equipment is not coming back online. At the moment, you’ve lost a large portion of your PHI data, and the only back-up is held at an offsite location.
Enter Contingency Operations. These are your policies and procedures set to motion during or after a disaster/emergency. Assuming (and hoping) that you have an offsite backup, you’ll need to retrieve those for data restoration. Who has access to this facility? How many employees (and who) should be responsible for escorting those retrieving and transporting these backups? These are all factors that play into the contingency operations of your healthcare organization, and ensure that physical security is maintained on EPHI even during emergencies.
Facility Security Plan
The Facility Security Plan is your first line of defense against unauthorized physical access. What measures you have in place at your facilities to protect ePHI falls under the Facility Security Plan. Are your server rooms kept locked? Do you have ID Readers or a digital keypad protecting important locations on- and off-site? Is a surveillance system in place, and how often is it reviewed? These security measures are solid deterrents against unauthorized access to health information – keeping them reviewed and updated on a timely basis is vital for HIPAA compliance.
Access Control and Validation Procedures
One of the cornerstones to strong physical security policies and procedures is authorized access – limiting accessibility to facilities, workstations, servers, and other electronic media. Establishing authorized user lists ensure that only those who require it will be given access, and reduces the risk that an unauthorized user – malicious or benign – could cause a breach. The Facility Security Plan might ensure that your doors are locked, but how do you determine who gets a key?
Generally, you should limit access to those who absolutely need it. This encompasses technical and physical security (after all, not everyone should have Administrator access to your workstations and servers), but we are focusing on the latter. Using the example from earlier, the only employees with access to the server room should be those who need to access it for their job functions. The same rules can be applied to off-site back-up storage, data centers, etc. only being accessible by those with the appropriate clearance. These types of policies can be enforced passively through user-specific PIN codes, keys, or ID card distribution, and reviewed by logbooks or surveillance recordings.
Maintenance Records
So, you’ve locked your doors, set up your security, and handed out the ‘keys’ to the appropriate users. All that’s left is your Maintenance Records – the documentation detailing when you change your keys, who accesses restricted areas, when new keys or access codes have been distributed, or even when you change the lock on a door. These records create a history of security implementation and show that your practice has documented the implementation of the last three standards fully.
Tying it Together
When you’ve fully implemented your Facility Access Controls, you will know who should have access to what, how and when they have access, methodology preventing everyone but those select few from access, and contingency planning in the event that something goes awry. While this is only the first aspect of Physical Security, these steps are critical to HIPAA-compliance and ensuring that your PHI remains protected.
James Douglas Saylor
Systems Analyst