HIPAA Security Tip #13: Facility Security Plan

By Iseman Cunningham Riester & Hyde LLP

Covered Entities must implement policies to safeguard their facility and their equipment from unauthorized physical access, tampering, and theft. The “facility security plan” is an addressable implementation specification under the Facility Access Controls standard. Covered Entities must implement the specification unless it is inappropriate or unreasonable and cannot be met through an alternative measure.

When developing a facility security plan, Covered Entities should address protection of health information in both electronic and paper media. Although the Security Rule itself applies only to electronic health information, the Privacy Rules mandate “appropriate physical safeguards” to protect the privacy of health information — both electronically and on paper.

The facility security plan is not simply a static description of security measures. The plan should include policies and procedures to deal with reasonably anticipated events, such as reporting and removing unauthorized individuals. Reliance on third parties to provide any component of physical security should be considered in the plan as well. For example, an ambulatory surgery center located in one suite of a medical office building should document its consideration of security provided by the building owner – if any. Conversely, a hybrid entity (an organization whose “Covered Entity” functions form a discrete component) need only develop a facility security plan for the component of its operations housing health information.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display