Finding the right team for providing risk assessment support is hard enough. A lot of organizations are so excited when our team comes in and the client finally has their HIPAA Risk Assessment completed. They have the paper work needed to hand off to the auditors or to say “here, this evidence of our best efforts to be compliant”. However, more times than not, the Physical Security and the evidence of compliance stated in the policies and procedures are never put into action a year after the assessment. Unfortunately, the risk assessment support is the first stage of actual compliance. The dry holiday reading comes next. Plowing through the read will save you a ton of money later in breaches and potential lawsuits in the future. We will pair down some of that reading; and not only point out some key points here that many organizations miss but also offer some of the risk assessment support solutions to mitigate some important issues with:
- Risk Profile Assessment – Performed after IT changes the environment. A lot of IT projects means many IT Risk Profile Assessments. It definitely doesn’t take as long as the annual but should be considered when we making changes to the IT environment.
- Physical Security – We should probably implement those very reasonably priced Arlo surveillance cameras since there’s no door, www.ilobby.com touch screen for vendors or whoever else we want log for visitor management, and locking the back door.
- Backup and Calendar Training Reminders – The organization should screen shot their recurring brown bag HIPAA training sessions and send it to any email mailbox like email@example.com for six years retention of logs. This is evidence of compliance.
- Secured Door – Many organizations do not have a door to secure the services area. Services need to be secured or we need research if we are allowed an exception through the security measures.
See below for the actual Policies and Procedures that are in place for many organizations to follow:
45 CFR §164.310(a)(2)(ii) “Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”
Policy: Based on our Risk Analysis, we will create a written Facility Security Plan describing the steps to limit physical access to systems that access or store ePHI. This plan must be updated as necessary.
Procedure: We will document physical security controls. Allow authorized access and deny unauthorized access to and within facilities, to limit access to devices that can access or store ePHI. Authorized users must be identified by name, title, or job role. Methods used to control physical access can include door locks, electronic access control systems, security officers, or video monitoring. Access to our facilities and systems will be controlled so only authorized individuals will be granted access. Workforce members will have access to facility based on their roles and functions.
45 CFR §164.310(a)(2)(iii) “Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.”
Policy: We will take steps to control and validate a person’s access to facilities. In addition, we will do the following:
- Provide appropriate access for people based on their role or function. Controls will vary based on the facility and the organization’s size. In some cases signage may be sufficient, while in other cases electronic access control systems and security guards may be appropriate. Everyone shall pay attention to locking cabinets with ePHI or Confidential Information, locking doors and windows after hours;
- Workforce shall exercise vigilance about our property and shall report to Security Officer immediately any incidents, theft, unauthorized access or tampering with our property and especially with information systems components;
- Doors to the waiting room shall be locked at the end of each business day;
- Doors between the waiting and service areas shall be locked so they could only be opened from the service area, and access to the service area shall be monitored from the front desk;
- Any additional entrance doors (non-monitored) to the facility shall always be locked so they only are opened from inside by authorized workforce or in emergency situation;
- Any suspicious individuals wandering around the facility shall be confronted and asked about the purpose of being within the facility;
- All non-patients and non-workforce individuals shall sign-in at the front desk (sign-in sheet shall document entry). Visitor’s name, company and access time will be recorded in the sign-in sheet at the front desk. When sign-in sheet not used all visitors have to be accompanied by staff when entering practice beyond waiting area.
- All workforce staff shall sign in their respective timesheets when coming in or leaving the facility.
- Facility repairs and modifications shall be documented (scope, date and by whom).
- When security monitoring systems are used (e.g. CCTV), Security Officer will determine who has access to these systems and recording media, and frequency of media retention and reuse.
Risk Assessment Support for Physical Security Summary
We all agree that maintaining compliance is a tough uphill battle but implementation of these key points could save your business from a catastrophic situation, even bankruptcy.