Implement policies and procedures to limit physical access to electronic information systems and the facilities where they are housed
Physical access to servers, network equipment, workstations, and the facilities that house them must be controlled. Unauthorized physical access can result in theft of hardware containing ePHI, installation of keyloggers or rogue network devices, or direct access to systems bypassing all logical controls. HIPAA requires covered entities to limit facility access to authorized individuals and to implement controls that support data restoration in emergency situations, secure the physical facility, validate the identity of anyone requesting physical access, and document repairs and modifications to the physical environment.
Implementation steps
- 1
Control physical access to facilities and server rooms
Implement access controls for facilities containing systems that process or store ePHI. This may include key card access systems, biometric locks, or coded door locks. Restrict server rooms, data closets, and wiring rooms to staff with a legitimate need. Use visitor logs and escort procedures for areas with sensitive systems.
hid-access-control lenel confluence - 2
Develop a facility security plan
Document a facility security plan that describes how physical access is managed and monitored. The plan should address access authorization, visitor procedures, surveillance, alarm systems, and how physical security incidents are reported and investigated. Review and update the plan at least annually.
confluence - 3
Validate and document physical access requests
Establish procedures to validate the identity of individuals before granting physical access to sensitive areas. Document who has access to which areas and review access lists periodically. Remove access when individuals no longer need it (role changes, termination, contractor engagement end).
hid-access-control excel confluence - 4
Maintain maintenance records
Document all repairs and modifications to physical components of the facility that relate to security: door locks, alarm systems, camera installations, server rack additions, and network cabling. Maintenance records support investigation if a physical security incident occurs and demonstrate due diligence.
confluence excel
Evidence required
Physical access control configuration
Evidence of access controls for facilities containing ePHI systems.
- - Badge access system configuration
- - Physical access logs
- - Visitor log records
Facility security plan
Documented policy for managing physical access.
- - Facility security plan document
- - Physical access control policy
Access list reviews
Evidence that physical access lists are reviewed periodically.
- - Access list review records
- - Quarterly badge access audit
Related controls
Specify the proper functions to be performed by workstations that access ePHI and the manner in which those functions are to be performed
Workstation Use
Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users
Workstation Security
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security
Implement policies and procedures for authorizing access to ePHI
Information Access Management