This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Facility Access Controls Access Control & Validation Procedures Policy

Reference: 45 CFR § 164.312(a)(1)
Last Updated: December 14, 2023


Goal: Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ePHI or software programs that can access ePHI.

The purpose of this policy is to maintain an adequate level of security to protect patient data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of Practice information systems.


Procedure: Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.

  • Access controls will be applied to all computer-resident information based on its’ Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.
  • Covered Entity approved system access controls will be used to limit user access to only those applications and functions for which they have been authorized.
  • Users will be granted access to information on a “need-to-know” basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs. The granting of access will take into account potential conflict with segregation of duties or incompatible job functions, and the level of access required before giving approval.
  • System access will not be granted to any user without appropriate approval. Management is to immediately notify the System Administrator and report all system access changes in user duties or employment status. User access is to be revoked immediately if the individual has been terminated.
  • Users are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of ‘production data’ must be restricted to ‘production’ applications
  • Users are responsible for all actions taken under their sign-on
  • Workstations should invoke password-enabled screen savers
  • When leaving a workstation the user is expected to properly log out of all application’s and networks.
  • Unattended workstations should enforce a time-out. Resumption of access will require the user’s password.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram