HIPAA TIP: Facility Security Plan

A Facility Security Plan is documentation outlining implementation of practices ensuring an organization is conducting business in compliance with HIPAA regulations and policies. The purpose of this policy is to cover the procedures that limit physical access to electronic Protected Health Information (ePHI) systems, and the facility or facilities in which such systems are housed, while still ensuring proper authorized access is allowed.

Examples of what would be included in a Facility Security Plan are:

• Access control mechanisms to control physical access to all facilities containing ePHI systems, i.e., code locks, badge readers, key locks or key fobs.
• Systems containing ePHI such as servers and backup systems are secured in locked rooms, with limited access by management or IT, and NOT used as a storage room.
• Alarm systems, motion detectors, security cameras are in place. Ideally, individual alarm codes only for staff members requiring codes.
• Vendors and third parties entering the facility need to sign in and wear a visitor badge while in the facility.
• Employees are required to monitor workstations, lock the computers when leaving their desks and maintain a clean desk policy – during work hours and at the end of the business day.
• Maintenance records need to be documented and whenever possible repairs and maintenance to the facility are monitored and supervised by the organization.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.