By Iseman Cunningham Riester & Hyde LLP
Covered Entities must implement procedures to control and validate access to facilities based on role or function. The procedure must include visitor control. Access control and validation is an “addressable” requirement under the Facility Access Controls standard. Covered Entities must implement the specification unless it is inappropriate or unreasonable and cannot be met through an alternative measure.
“Access controls” include more than locks and keycards. Physical barriers such as walls and fences should be assessed if they are relied upon to control access to the facility (or specific rooms within the facility). A room for storing health information may be locked, but is not secure if the walls to the room don’t extend above the false ceiling, allowing someone to enter the room with relative ease.
As a general practice, access control procedures should be designed with internal controls built in. That means employing a system of checks and balances to ensure that one person acting alone cannot thwart facility security measures. In a facility employing keycards, for example, the individual responsible for coding the cards should not be the same person as the one reviewing access logs. With effective internal controls, inappropriate access would require the cooperation of two or more individuals, making such an event less likely.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.