Facilities Access Control

Overview

The Health Insurance Portability and Accountability Act(HIPAA)§164.310(a)(1) Physical safeguards states "A covered entity must in accordance with § 164.310: Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed." Owners of Information Systems are required to have physical safeguards in place that limit access to Information Systems that contain Electronic Protected Health Information (EPHI).

Purpose

To ensure all systems containing Electronic Protected Health Information (EPHI) are located in areas to minimize risk of unauthorized access.

Scope

This standard applies to Owners of Information Systems.

Description

Owners of Information Systems containing EPHI must appropriately limit physical access to the systems contained within its facilities while ensuring that properly authorized workforce members can physically access such systems.

Systems containing EPHI must be physically located in such a manner as to minimize the risk of unauthorized persons gaining access to them.  The level of protection must be commensurate with that of identified risks.

Document Supporting Resources