FACILITY SECURITY PLAN
POLICY # 31
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and
theft.”
Policy Summary:
Sindecuse Health Center (SHC) must have a facility security plan that
details how it will protect its facilities, and the equipment therein, from
unauthorized access, tampering, or theft of its EPHI.
Purpose:
This policy reflects SHC’s commitment to maintain a facility security
plan for protecting its facilities and all information systems contained
within them.
Policy:
1. SHC must protect the confidentiality, integrity, and availability of its
information systems by preventing unauthorized physical access,
tampering and theft.
2. SHC must maintain and regularly review a formal, documented
facility security plan that describes how its facilities and equipment
within them will be appropriately protected. The plan must be revised as
necessary.
3. SHC’s facility security plan must include appropriate safeguards for
all equipment containing electronic protected health information (EPHI).
Such equipment includes, but is not limited to: workstations, servers,
personal digital assistants (PDAs) and biomedical devices (e.g. MRI).
4. The facility security plan must be based on a risk assessment,
conducted at least annually, that assesses the risks to SHC facilities and
the information systems contained within.
5. At a minimum, SHC’s facility security plan must address the
following:
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
FACILITY SECURITY PLAN






Identification of SHC information systems to be protected from
unauthorized physical access, tampering, and theft.
Identification of processes and controls used to protect SHC
information systems from unauthorized physical access,
tampering, and theft.
Actions to be taken if unauthorized physical access, tampering,
or theft attempts are made against SHC information systems.
Identification and definition of SHC workforce member
responsibilities.
Notification and reporting procedures
A maintenance schedule that specifies how and when the plan
will be tested, as well as the process for maintaining the plan.
6. All appropriate SHC workforce members must have a current copy of
the plan. An appropriate number of current copies of the plan must be
maintained off-site.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Physical Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Facility Access
Controls Standard
Regulatory
Reference:
45 CFR 164.310(a)(2)(ii)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
FACILITY SECURITY PLAN
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Risk means the likelihood that a specific threat will exploit a certain
vulnerability, and the resulting impact of that event.
Facility means the physical premises and the interior and exterior of a
building(s).
Responsible
Department:
Building Coordinator; Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Contingency Operations
Access Control and Validation Procedures
Maintenance Records
Facility Access Controls
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
FACILITY SECURITY PLAN
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.