Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 9 - Facility Access Controls

 

Title: Facility Access Controls Policy: SEC-09.00
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(1)
Standard: Facility Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify the step needed in regards to securing the physical facilities of OSU.

Policy

OSU will implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.  §164.310(a)(1)

Procedure

OSU will document all policies and procedures related to the above stated policy.

The policies are subject to change or be modified on an as needed basis.

The HIPAA Compliance Office will work with Physical Plant, IT, Safety Officer and the Campus Police if needed to secure all locations that house PHI.

top of page top

 

Title: Contingency Operations Policy: SEC-09.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(2)(i)
Standard: Facility Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify contingency operations for security of PHI and facilities

Policy

OSU will establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.  §164.310(a)(2)(i)

In the event of disaster or emergency, OSU security personnel and/or its contractors will monitor and restrict access to the building or areas housing any form of PHI.
Procedure

At the occurrence of a disaster or emergency, the security vendor and/or Campus Police will contact the Director of Campus Police, the Medical Director, and the Director of Clinic Financial Operations.  The vendor and/or Campus Police will then secure all areas as necessary.  Operations will then be based upon the facility contingency plan.

Reference

Contingency Plan policy SEC-06.03 Emergency Mode Operations.


top of page top

 

Title: Facility Security Plan Policy: SEC-09.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(2)(ii)
Standard: Facility Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify process to secure facilities housing EPHI

Policy

OSU will implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.  §164.310(a)(2)(ii)

Procedure

Employees will take necessary steps to protect and secure protected health information in their areas.

To the extent possible, key distribution is kept to a minimum.  Only authorized staff can obtain a building master and its use shall be documented.  Any loss of a building master will be reported to the Office Manager and/or Department Head as well as Physical Plant.

Each employee shall assume responsibility for assisting in maintaining a secure work place.  This includes control of access by non-staff to patient care areas and work areas.  Any suspicious behaviors by non-staff should be confronted by OSU staff or supervisor.  If there is perceived to be any potential risk to staff or patients, OSU Security should be contacted immediately.

To minimize unauthorized access to our patient’s confidential information, staff should refrain to the extent possible, accessing areas to which they are not assigned.  As well, staff should politely challenge other staff who may be present in non-assigned work areas. 

Staff should, to the greatest extent possible, minimize or prevent non-staff from entering OSU work areas.  This includes friends, family, students and other OSU staff.  It is recognized that this is not always possible and in such circumstances the employee should take steps to cover work, log off computers, and in any other way possible, prevent unauthorized individuals from observing or having visual or auditory contact with protected health information of any kind. 

It is recognized that from time to time it will be necessary for maintenance and repair personnel to be in areas in which confidential information is present.  All routine repairs and maintenance will be done during business hours with staff available to oversee and insure that inappropriate access and actions are not taken.  In the case of emergencies, OSU will cooperate with OSU Physical Plant and other university authorized staff to allow access to the areas needing repair while insuring that inappropriate behaviors are prevented.
Reference

PRV-14.01 Facility Security


top of page top

 

Title: Access Control & Validation Policy: SEC-09.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(2)(iii)
Standard: Facility Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Maintain records of distributed keys.

Policy

OSU will implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.  §164.310(a)(2)(iii)

Procedure

In order to receive a key/access card, employees must complete the Key Requisition Form located on the OSU CHS Centernet web page.  This form must be approved by the department supervisor and Physical Plant Director. 

Keys must be returned to physical plant at termination, transfer, or change in job function.

Keys or Access Cards will only be distributed to authorized personnel and must be approved prior to release of keys/cards.

Physical access to areas containing ePHI (data centers) must be approved by the CHS HIPAA Compliance Office and by the Information Technology Department.

Most software companies do not track access to PHI within test systems.  Therefore, access to test systems that contain PHI will be limited to IT, HIT staff, and those deemed necessary to test the software and its functions.  Staff may have access to a test system as long as the data within the system is all test data and not real PHI.

Visitors, which might be an auditor or a vendor, which need access to the various systems may use a service account.  It shall be documented by the department which the visitor is visiting which service account was used, and the name of the visitor.  If a visitor is in need of a key or access card, the department will arrange for such access with the appropriate OSU staff.


top of page top

 

Title: Maintenance Records Policy: SEC-09.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(2)(iv)
Standard: Facility Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Maintain records of maintenance in areas housing PHI.

Policy

OSU will implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Records of maintenance activity related to security or access in areas housing PHI, both written and electronic, will be maintained by physical plant.

Procedure
Documentation of physical alterations to facilities that change access and security of PHI, both written and electronic, will be documented and logged by physical plant.  Responsibility for maintaining records will be designated by the Director of Physical Plant.

top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube