DRAFT
Version 3: 3/20/14
Based on HIPAA/HITECH Omnibus Rules 9/23/13
HIPAA COW
SECURITY NETWORKING GROUP
FACILITY REPAIRS AND MAINTENANCE
Disclaimer
This Facility Repairs and Maintenance Policy is Copyright  by the HIPAA Collaborative of
Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this
copyright notice is not removed. When information from this document is used, HIPAA COW
shall be referenced as a resource. It may not be sold for profit or used in commercial documents
without the written permission of the copyright holder. This Facility Repairs and Maintenance
Policy is provided “as is” without any express or implied warranty. This Facility Repairs and
Maintenance Policy is for educational purposes only and does not constitute legal advice. If you
require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA
COW has not addressed all state pre-emption issues related to this Facility Repairs and
Maintenance Policy. Therefore, this document may need to be modified in order to comply with
Wisconsin/State law.
****
Table of Contents
Policy …………………………………………………………………………………………….1
Responsible for Implementation ................................................................................................... .2
Applicable To ……………………………………………………………………………….……2
Key Definitions …………………………………………………………………………….…….2
Procedures ..................................................................................................................................... .2
1. Identify ePHI Security Risk(s) .......................................................................................... .2
2. Reduce or Eliminate the ePHI Security Risks(s) .............................................................. .2
3. Monitor for Additional Risks ............................................................................................ .3
4. Documentation of the Project ........................................................................................... .3
Applicable Standards and Regulations …………………………………………………….…….4
Sources ………………………………………………………………………………….………..4
Version History:
Policy:
In accordance with the standards set forth in the HIPAA Security Rule, <ORGANIZATION> is
committed to ensuring the confidentiality, integrity, and availability of all electronic protected
health information (ePHI) it creates, receives, maintains, and/or transmits. To establish
documentation guidelines for maintenance, repairs, and modifications to the physical
components of its facilities when related to the security of the ePHI as well as limit physical
access to electronic information systems and the facility(s) in which they are housed, while
ensuring that properly authorized access is allowed.
______________________________________________________________________________
 Copyright HIPAA COW
1
DRAFT
Version 3: 3/20/14
Based on HIPAA/HITECH Omnibus Rules 9/23/13
Responsible for Implementation:
<Facilities/Building Services/Security Manager>
Applicable To:
All workforce members
Violation of this policy and its procedures by workforce members may result in corrective
disciplinary action, up to and including termination of employment. Violation of this policy and
procedures by others, including providers, providers' offices, business associates and partners
may result in termination of the relationship and/or associated privileges. Violation may also
result in civil and criminal penalties as determined by federal and state laws and regulations
Key Definitions:
Electronic Protected Health Information (ePHI): Protected health information means individually
identifiable health information that is: transmitted by electronic media, maintained in electronic
media, or transmitted or maintained in any other form or medium.
Workforce: employees, volunteers (board members, community representatives), trainees
(students), contractors and other persons whose conduct, in the performance of work for a
covered entity, is under the direct control of such entity, whether or not they are paid by the
covered entity.
Procedures:
1. Identify ePHI Security Risk(s). Prior to approving plans to repair, modify, or schedule
maintenance any of <ORGANIZATION’s> owned or leased facilities the <Lead Project
Coordinator> works with the <Facilities/Building Services/Security Manager> , to determine
whether or not the scheduled maintenance, repairs, changes, or the construction process
itself, increases the security risk of ePHI. These security risks include, but are not limited to,
work completed on the internal and/or external perimeter of the facilities (entryways, doors,
locks, controlled access systems, walls, removing windows, etc.) and may result in:
A. Will or has the potential to limit or remove an authorized user’s ability to access
workstations and systems in which ePHI is created, received, maintained, or
transmitted during regularly scheduled hours and at regularly scheduled locations.
B. Increases the potential for unauthorized access to ePHI.
C. Otherwise has the potential to decrease the security, confidentiality, and/or integrity
of the ePHI in any way.
2. Reduce or eliminate the ePHI Security Risks(s). If the changes indicate an increased
security risk to ePHI, the <Lead Project Coordinator> amends the plans to contain the
following conditions:
A. All users that need access to ePHI have access to ePHI during their regularly
scheduled hours.
______________________________________________________________________________
 Copyright HIPAA COW
2
DRAFT
Version 3: 3/20/14
Based on HIPAA/HITECH Omnibus Rules 9/23/13
i.
If, however, any user will not have access to ePHI during their regularly
scheduled hours, the <Lead Project Coordinator> notifies that user’s supervisor
“X” days prior to the unavailability of the ePHI. The <Lead Project
Coordinator>, develop a plan to accommodate necessary changes. Document
all decisions made and followed as required in this policy.
ii. If the plans increase the potential for unauthorized access to ePHI, the <Lead
Project Coordinator> works with the <Facilities/Building Services/Security
Manager>, <IT department>, and <supervisor>, to identify ways to secure
ePHI throughout the project from unauthorized access.
a. This may include requiring measures such as 24 hour monitoring of the
area with security guards or cameras, changing locks and distributing
keys to individuals on the project to limit the number of individuals with
access, creating new entryways for workforce members and/or patients,
etc.
b. Document all decisions made and followed as required in this policy.
iii. If the plans otherwise decrease the security, confidentiality, and/or integrity of
the ePHI in any way the <Lead Project Coordinator> works with
<Facilities/Building Services/Security Manager>, <IT department>, and
<supervisor>, to identify ways to secure ePHI throughout the project.
Document all decisions made and followed as required in this policy.
3. Monitor for Additional Risks. The <Lead Project Coordinator> continuously monitors the
project and immediately notifies <Facilities/Building Services/Security Manager>, <IT
department>, and <supervisor>of any increase or change in security risks to ePHI noted
during the course of the project. Document all decisions made and followed as required in
this policy. If a violation of <ORGANIZATION’s> security policies and procedures is
identified, it is reported and investigated according to <ORGANIZATION’s> Security
Incident Policy.
4. Documentation of the Project. The <Lead Project Coordinator> or <Facilities/Building
Services/Security Manager> facilitates documentation of all meetings and other efforts made
to protect the confidentiality, integrity, and availability of ePHI throughout the project.
A. Documentation includes, at a minimum, the following information:
i. Description of the repair or modification including a summary of the original
plans, any changes made to the plans, and reasons for any changes made to the
plans.
ii. Reason for the repair or modification.
iii. Repair or modification start and end dates.
iv. Individual(s) that completed the repair or modification.
v. Summary of all steps taken to eliminate or decrease the identified security
risk(s) to ePHI (including those identified before, during, and after the work
was completed). At a minimum, this summary includes:
a. Description of the identified security risk.
b. Date the security risk was identified.
c. Specifically what was done to eliminate or reduce the security risk(s).
______________________________________________________________________________
 Copyright HIPAA COW
3
DRAFT
Version 3: 3/20/14
Based on HIPAA/HITECH Omnibus Rules 9/23/13
d. Dates and times steps were taken to eliminate or reduce the security
risk(s).
e. Individuals involved in eliminating or reducing the security risk(s).
B. After completion of the project, forward all documentation to the
<Facilities/Building Services/Security Manager>.
i. The <Facilities/Building Services/Security Manager> maintains all
documentation for a minimum of six years.
Applicable Standards/Regulations:


45 CFR §164.310(a)(1) – HIPAA Security Facility Access Controls
45 CFR §164.310(a)(2)(iv) – HIPAA Security Rule Maintenance Records
Original Sources:

Phoenix Health Systems, Inc. Maintenance Records Policy
Version History:
Current Version: 3/20/14
Prepared by:
Reviewed by:
Content Changed:
James Sehloff, CareTech
Solutions
Kirsten Wild, Wild
Consulting, Inc.
HIPAA COW Security Networking
Group Members:
Collen Galetka, Frank Ruelas, Lois
Kallunki, Ginny Gerlach, Holly
Schlenvogt, Ray Langford, Todd
Fitzgerald, Allan Mundt
Revised to reflect
current rules,
technologies, and
standards.
**You may request a
copy of the all the
changes made in this
current version by
contacting
administration at
admin2@hipaacow.org.
Original Version: 4/19/05
Prepared by:
Reviewed by:
HIPAA COW Administrative
Workgroup
HIPAA COW Technical
Security Workgroup
HIPAA COW Physical
Security Workgroup
HIPAA COW Privacy Policy
and Procedure Workgroup
______________________________________________________________________________
 Copyright HIPAA COW
4