Goal: Establishes what the organization should do to establish a facility security plan to protect its facilities and the equipment therein.
The purpose of this policy is to establish the overall physical security needs of the office and the available electronics system. This policy will also explain the use of Anti-intrusion devices or barriers used in the office to protect access to PHI.
Procedure: Covered Entity will maintain strict physical access controls to its information systems at all times and under all conditions. This includes the physical security of electronic and paper data. Physical access controls include the following:
- Visitors. All guests that require access to sensitive areas will sign a visitors log and proceed to the indicated area after an authorized escort has been assigned.
- Workstation use and location. Areas where sensitive information is regularly entered or utilized will be secured using barriers to prevent public viewing of PHI during normal working hours. Wherever feasible these areas will be locked when not in use. Printers and fax machines will be located in the most secure areas available, and will not be located in or near areas frequented by individuals or the public. Covered Entity will also follow the following requirements:
- Access to computer/fax rooms will be limited to personnel who require access for the normal performance of their duties. The private officer is responsible for determining who has physical access to computer rooms.
- Computer rooms will be securely locked when unattended, and intrusion alarms may be activated. Security cameras may be implemented to monitor the entrances to deter/detect unauthorized entry.
- Equipment housed in open areas must be attached to an immovable object by a security cable.
- Computer monitors should, when possible, be situated so that unauthorized people cannot view the information on the screen. Screen savers should be used in accordance with the Policy on Workstation Use.
- The Security Officer is responsible for installing electrical power protection devices to suppress surges, reduce static, and provide backup power in the event of a power failure.
- Equipment removed from the facility must be removed only in accordance with the relevant policy, such as for media control or for laptops, or with the permission of the designated manager. The Security Officer will keep records of the removal/receipt of such equipment.
- All personnel who detect or suspect a security problem relating to health information should immediately report the problem to the Security Officer. The Security Officer will then create a written memorandum that includes the following information:
- Narrative of the physical security problem.
- Estimate of how long the problem may have existed.
- Suggested solutions.
- Fax Machines. PHI may be transmitted by facsimile machine (“fax”), provided all other policies and procedures regarding the disclosure of PHI are observed.
