Facility Security Plan Standard

Overview

Access to physical facilities that house Information Systems must be strictly controlled and monitored to prevent unauthorized access.

Purpose

Physical safeguards are identified by HIPAA in Section 164.310 as an important line of defense against the loss or corruption sensitive information including EPHI. This document identifies the areas of focus in the Facility Security Plan.

Scope

This standard applies to all UVA Medical Center departments that house Information Systems.

Description

The Facility Security Plan must include the following focus areas:

  • Departments housing Information Systems will provide an area-specific plan to the Information Security Office annually and whenever significant changes have been made.
  • Initiation of building projects, renovations, and work orders which affect areas where Electronic Protected Health Information (EPHI) may be stored or accessed will include a review of physical security coordinated with the Facilities Services Access Control Manager, appropriate Health System Administrators, and the Information Security Office.
  • Access to physical facility perimeters are addressed in Medical Center Policy No. 176: Access Control to Medical Center Facilities.
  • Patient, visitor, and employee identification are addressed in Medical Center Policy No. 004: Medical Center Identification.
  • Vendor access is addressed in Medical Center Policy No. 013: Vendor, Sales and Service Representatives.
  • The plan must protect business and patient records in a manner that minimizes the possibility of damage from fire, vandalism, and natural disaster. (see Contingency Planning - Disaster Recovery)
  • The Security Awareness guideline identifies and addresses workforce member responsibilities for supporting the plan.
  • The Facility Security Plan will be reviewed at least every three years and whenever significant changes have been made.
  • Departments will conduct an annual assessment of all the physical components of its facilities that are related to the protection of (EPHI).
  • Assessment results must be documented and stored in a secure manner (e.g. on a computer with appropriate file access permissions or in a locked drawer).

Document Supporting Resources