HIPAA TIP: Facility Security Plan

Under the HIPAA Security Rule Physical Safeguards a Facility Security Plan (164.310(a)(2)(ii)) is defined as the following: “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.”

Facility Security Plans must document the use of physical access controls. These controls must ensure that only authorized individuals have access to facilities and equipment that contain ePHI. In a healthcare organization this not only includes staff but patients, visitors and third party business partners as well.

Documentation is key for HIPAA compliance. Should your organization have a Breach you will need to produce evidence to the Office for Civil Rights (OCR) that the HIPAA Rule requirements were completed.

Some of the areas the Physical Security Plan must address are:

  • Alarms, key cards or fobs for all staff with role-based access, locked doors to restricted areas, surveillance cameras, signs warning of restricted areas.
  • Visitor sign-ins, visitor badges, patients and third parties escorted through the facility.
  • Server rooms, network closets, medical records rooms locked at all times with limited staff access.
  • Access to facilities after hours – who can access, how is this recorded?
  • All equipment including devices or machines containing ePHI are inventoried and secured when not in use.
  • Shredding bins, papers containing PHI (desks, fax) are secured and locked when not in use or after business hours.HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.