In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.
What to Do
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
How to Do It
The Security Official is responsible for ensuring that this implementation specification is in place. The Security Official should create and maintain a log and a description of repairs or modifications made to the covered entity’s physical security components. The log should document in writing any action taken in that regard. The Security Rule requires that that log be maintained for a period of six years after completion of each maintenance action regarding physical security. The log may be maintained in electronic format, but the log retention time requires that electronic logs be routinely backed up.