OCR Discusses Facility Access Controls
This month's Office of Civil Rights newsletter explains what facility access controls are and how to implement them. They note that "...Recent data security research suggests that only 7% of data security decision makers are concerned with breaches due to lost or stolen equipment, even though these account for 17% of breaches...". We know from practical experience that HIPAA's physical security requirements are often handed off to people who may not prioritize compliance and risk.
For those new to the Security Rule, Facility Access Controls is found looking at § 164.310(a)(1). Under this standard are four addressable implementation specifications:
§ 164.310(a)(2)(i) - Contingency Operations
§ 164.310(a)(2)(ii) - Facility Security Plan
§ 164.310(a)(2)(iii) - Access Control and Validation Procedures, and
§ 164.310(a)(2)(iv) - Maintenance Records
and each is explained in detail by viewing the source document, hyperlinked to the graphic below.
When we think of the security controls associated with a facility, we recommend focusing on defeating theft and natural disaster response. It's sometimes difficult to limit access, especially in the case of hospitals or other 24x7 healthcare providers - especially when there are computers everywhere.
Please contact us if you need help understanding what security controls you should implement to protect your facilities and to comply with the Security Rule.
Stay (HIPAA) safe,
Alan -
Comments