East Carolina University
HIPAA Security Policies
Subject: Facility Access Controls
Policy #: Security-0008
Supersedes:
Effective Date: April 21, 2005
Coverage: ECU Health Care Components
Page: 1 of 2
Approved:
Revised: December 9, 2010,
March 29, 2012, May 30, 2013
Review Date: May 30, 2013
HIPAA Security
Rule Language:
“Implement policies and procedures to limit physical access to a
covered entity’s electronic information systems and the facility or
facilities in which they are housed, while ensuring that properly
authorized access is allowed.”
Regulatory
Reference:
45 CFR 164.310(a)(1)
I. PURPOSE
This policy reflects East Carolina University’s commitment to prevent unauthorized
physical access to its facilities while ensuring that properly authorized access is allowed.
II. AUTHORIZATION AND ENFORCEMENT
Health Care component management and/or administrator(s) are responsible for
monitoring and enforcing this policy, in consultation with the ECU IT Security Officer,
ECU HIPAA Security Officer, and ECU HIPAA Privacy Officer.
III. POLICY
ECU Health Care Components must appropriately limit physical access to the health care
computing systems contained within its facilities while ensuring that properly authorized
workforce members can physically access such systems. ECU health care computing
systems containing EPHI must be physically located in such a manner as to minimize the
risk that unauthorized persons can gain access to them. The level of protection must be
commensurate with that of identified risks.
IV. APPLICABILITY
This policy is applicable to all workforce members who are responsible for or otherwise
administer a healthcare computing system. A healthcare computing system is defined as
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 1 of 2
HIPAA Security Policy # 0008: Facility Access Controls
a device or group of devices that store EPHI which is shared across the network and
accessed by healthcare workers.
V. PROCEDURE
The following standards and safeguards must be implemented to satisfy the requirements
of this policy:
1. As defined in ECU’s Contingency Operations Standard, ECU Health Care
Components must have formal, documented procedures for allowing authorized
workforce members to enter its facilities to take necessary actions as defined in its
disaster recovery and emergency mode operations plans.
2. As defined in ECU’s Facility Security Plan Standard, ECU Health Care
Components must have a facility security plan that details how it will protect its
facilities and equipment.
3. As defined in ECU’s Access Control and Validation Procedures Standard,
ECU Health Care Components must implement procedures to control and validate
individuals’ access to ECU’s facilities based on their roles or functions.
4. As defined in ECU’s Maintenance Records Standard, ECU Health Care
Components must document all repairs and modifications to the physical
components of its facilities that are related to security.
VI. COORDINATING INSTRUCTIONS
1. All section policies, standards and procedures will be reviewed annually. Every
section policy, standard and procedure revision/replacement will be maintained for a
minimum of six years from the date of its creation or when it was last in effect,
whichever is later. Other East Carolina University, University of North Carolina
system, or state of North Carolina requirements may stipulate a longer retention
period.
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved
Page 2 of 2