Facility Access Controls Policy and Procedure

PurposeiEHR

is committed to conducting business in compliance with all applicable laws, regulations and policies. This Policy covers the procedures that limit physical access to electronic protected health information (ePHI) systems and the facility or facilities in which such systems are housed, while still ensuring that proper authorized access is allowed.

Policy

iEHR will maintain a Facility Security Plan that outlines and documents its procedures to safeguard all facilities, systems, and equipment used to store ePHI against unauthorized physical access, tampering, or theft. The Facility Security Plan includes the following components

Employee/Business Associate Access Controls and Validation

1. iEHR will implement appropriate procedures to control and validate iEHR employee access to all facilities used to house ePHI based systems.
2. iEHR will adopt appropriate access control mechanisms to control physical access to all facilities containing ePHI-based systems.
   1. Restricted areas and facilities are locked and alarmed when unattended (where feasible). Allowed access includes:
      1. Employees as approved by their supervisor and as needed to perform their job duties.
      2. Patients with an escort of an authorized workforce member into and out of the areas.
      3. Family members and friends briefly visiting employees with an authorized employee’s escort.
      4. Vendors (wearing Visitor ID badge) with an employee’s escort into and out of the areas.
      5. Vendors or Business Associates on a long-term contract (wearing a Visitor ID badge), once acclimated to the areas, without an escort.
   2. Only authorized employees and business associates receive keys to access restricted areas (as determined by the Security Officer through Departmental requests).
   3. Employees are required to return keys to the Supervisor on their last day of employment/last day of contracted work or services being provided.
   4. Employees must report a lost and/or stolen key to the Security Officer. The Security Officer will facilitate the changing of the lock(s) within 24 hours of a key being reported lost/stolen, or disable the ID badge.
3. iEHR will implement appropriate procedures to identify all employees and business associates.
   1. All persons, excluding patients and visiting family and friends, are required to wear iEHR identification badges. Employees will wear a iEHR ID badge at all times while at iEHR.
   2. Employees are required to return their iEHR ID badge to the Human Resources department (or Supervisor) on their last day of employment/last day of contracted work or services being provided.
   3. Visiting vendors must register (sign in and out) on the Vendor Sign-in Log and obtain Visitor ID badges from the department they are visiting. Vendors are instructed to return the Visitor ID badge and sign out prior to leaving the premises.
4. iEHR will adopt appropriate procedures to enforce this Policy. Escort violators out of restricted areas immediately and either have them register and obtain a visitor ID badge or escort them to the area they are trying to get to.
   1. Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
   2. Employees in violation of this policy are subject to disciplinary action, up to and including termination.
   3. Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services.
5. iEHR will institute appropriate procedures to maintain workstation security.

   1. Workstations may only be accessed and utilized by authorized employees or Business Associates wearing appropriate identification to complete assigned job/contract responsibilities. Third parties may be authorized by the Technical Security Officer to access systems/applications on an as needed basis.

   2. All employees are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.

   3. All iEHR computer mainframes, servers, and network hardware are maintained in secured, locked, environmentally conditioned rooms with 24 hour per day monitoring devices, which alert the Technical Security Officer of any problems. Access to these rooms is limited to authorized IT and facility services employees as required to perform job responsibilities to maintain these rooms and/or the equipment within these rooms. Access by anyone else is granted only by approval from the Technical Security Officer and only with an escort by an authorized IT or facility services workforce member.

   4. Permanent Workstations (i.e. desktop computer, printers, and monitors) may only be moved by authorized IT workforce members.

   5. All wiring associated with a workstation may only be installed, fixed, upgraded, or changed by an authorized IT workforce member or other individual authorized by the Technical Security Officer.

Physical Access Records

1. List areas of your office/building that require physical access records. (Examples of areas requiring physical access records are computer, telephone and system rooms).
   2. In addition to badge access, iEHR requires a signature log of all employees accessing [Insert Specified Area(s)].
   3. Signature logs will be maintained for six years from the date of creation, or the date it was last in effect, whichever is later [§164.530(j)].

Maintenance Records

1. Prior to approving plans to repair, modify, or scheduling maintenance, determine whether or not the scheduled maintenance, repairs, changes, or the construction process itself, increases the security risk of ePHI. These security risks include, but are not limited to, work completed on the internal and/or external perimeter of the facilities (entryways, doors, locks, controlled access systems, walls, removing windows, etc.) and may result in:
   1. Will or has the potential to limit or remove an authorized user’s ability to access workstations and systems in which ePHI is created, received, maintained, or transmitted during regularly scheduled hours and at regularly scheduled locations.
      2. Increases the potential for unauthorized access to ePHI.
      3. Otherwise has the potential to decrease the security, confidentiality, and/or integrity of the ePHI in any way.
      2. If the maintenance indicates an increased security risk to ePHI, amend the plans to contain the following conditions:
      1. All users that need access to ePHI have access to ePHI during their regularly scheduled hours.
         1. If user will not have access to ePHI during their regularly scheduled hours, the user or user’s supervisor will be notified prior to the unavailability of the ePHI.
            2. Document all decisions made and followed as required in this policy.
            2. If the plans increase the potential for unauthorized access to ePHI, identify ways to secure ePHI throughout the project from unauthorized access.
            1. Implement 24 hour monitoring of the area with security guards or cameras.
            2. Consider changing locks and distributing keys to individuals on the project to limit the number of individuals with access
            3. Create new entryways for employees and/or patients.
            4. Document all decisions made and followed as required in this policy.
            5. Continuously monitor the project and immediately notify affected employees of any increase or change in security risks to ePHI noted during the course of the project.
            6. Document all decisions made and followed as required in this policy.
            7. If a violation of iEHR security policies and procedures is identified, it must be reported and investigated according to iEHR Security Incident Policy.
      2. Document all meetings and other efforts made to protect the confidentiality, integrity, and availability of ePHI throughout the project, to include:
      3. Description of the repair or modification including a summary of the original plans, any changes made to the plans, and reasons for any changes made to the plans.
      4. Reason for the repair or modification.
      5. Repair or modification start and end dates.
      6. Individual(s) that completed the repair or modification.
      7. Summary of all steps taken to eliminate or decrease the identified security risk(s) to ePHI, to include:
         1. Description of the identified security risk.
            2. Date the security risk was identified.
            3. Specifically what was done to eliminate or reduce the security risk(s).
            4. Dates and times steps were taken to eliminate or reduce the security risk(s).
            5. Individuals involved in eliminating or reducing the security risk(s).
         2. After completion of the project, forward all documentation to the [Insert Security or Building Manager].
      8. The [Insert Security or Building Manager] maintains all documentation for a minimum of six years [§164.530(j)].

Violations

Any individual, found to have violated this policy, may be subject to disciplinary action up to and including termination of employment.