East Carolina University HIPAA Security Policies Subject: Facility Access Controls Policy #: Security-0008 Supersedes: Effective Date: April 21, 2005 Coverage: ECU Health Care Components Page: 1 of 2 Approved: Revised: December 9, 2010, March 29, 2012, May 30, 2013 Review Date: May 30, 2013 HIPAA Security Rule Language: “Implement policies and procedures to limit physical access to a covered entity’s electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” Regulatory Reference: 45 CFR 164.310(a)(1) I. PURPOSE This policy reflects East Carolina University’s commitment to prevent unauthorized physical access to its facilities while ensuring that properly authorized access is allowed. II. AUTHORIZATION AND ENFORCEMENT Health Care component management and/or administrator(s) are responsible for monitoring and enforcing this policy, in consultation with the ECU IT Security Officer, ECU HIPAA Security Officer, and ECU HIPAA Privacy Officer. III. POLICY ECU Health Care Components must appropriately limit physical access to the health care computing systems contained within its facilities while ensuring that properly authorized workforce members can physically access such systems. ECU health care computing systems containing EPHI must be physically located in such a manner as to minimize the risk that unauthorized persons can gain access to them. The level of protection must be commensurate with that of identified risks. IV. APPLICABILITY This policy is applicable to all workforce members who are responsible for or otherwise administer a healthcare computing system. A healthcare computing system is defined as Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved Page 1 of 2 HIPAA Security Policy # 0008: Facility Access Controls a device or group of devices that store EPHI which is shared across the network and accessed by healthcare workers. V. PROCEDURE The following standards and safeguards must be implemented to satisfy the requirements of this policy: 1. As defined in ECU’s Contingency Operations Standard, ECU Health Care Components must have formal, documented procedures for allowing authorized workforce members to enter its facilities to take necessary actions as defined in its disaster recovery and emergency mode operations plans. 2. As defined in ECU’s Facility Security Plan Standard, ECU Health Care Components must have a facility security plan that details how it will protect its facilities and equipment. 3. As defined in ECU’s Access Control and Validation Procedures Standard, ECU Health Care Components must implement procedures to control and validate individuals’ access to ECU’s facilities based on their roles or functions. 4. As defined in ECU’s Maintenance Records Standard, ECU Health Care Components must document all repairs and modifications to the physical components of its facilities that are related to security. VI. COORDINATING INSTRUCTIONS 1. All section policies, standards and procedures will be reviewed annually. Every section policy, standard and procedure revision/replacement will be maintained for a minimum of six years from the date of its creation or when it was last in effect, whichever is later. Other East Carolina University, University of North Carolina system, or state of North Carolina requirements may stipulate a longer retention period. Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved Page 2 of 2