§164.310(a)(1): Implement policies and procedures to limit physical access to [an entity’s] electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Audit Inquiry
Does the entity have policies and procedures in place regarding access to and use of facilities and equipment that house ePHI?
Does the entity limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed?
Obtain and review policies and procedures regarding facility access control. Evaluate the content in relation to the relevant specified performance criteria regarding physical access to electronic information systems and use of facilities and equipment that house ePHI.
Evaluate and determine if policies and procedures identify the countermeasures implemented to control physical access and to detect, deter, and/or prevent unauthorized access and unlimited access to electronic information systems and facilities where systems are housed.
Elements to review may include but are not limited to:
• Workforce members’ roles and responsibilities in facility access control procedures
• Management involvement in the facility’s access controls procedures
• The process of how authorization credentials for facility access are issued
• The process of removing workforce members’ authorization credentials for physical access when such access it is no longer required
• Identification of how visitors’ access is monitored
• Methods for controlling and managing physical access devices
• Facilities and areas that have physical access control implemented to safeguard ePHI
Obtain and review documentation of workforce members with authorized physical access to electronic information systems and the facility or facilities in which they are housed. Evaluate and determine if authorized workforce members are listed in areas where electronic information system resides; listed authorized members have been approved by appropriate management; list of authorized workforce members are reviewed on a continuous basis; and removed when access is no longer required.
Obtain and review documentation of procedures for granting individuals access to entity facility or facilities where electronic information systems are housed. Evaluate and determine if physical access authorization is enforced at entry/exit points of the facility; individual access authorization is verified before granted access to facility; and physical access audit logs of entry/exit points are maintained and reviewed on continuous basis.
Obtain and review documentation of visitor physical access to electronic information systems and the facility or facilities where it is housed. Evaluate and determine if visitors are supervised in locations where electronic information resides and if activities are documented and monitored.
Required/Addressable
Required