§164.310(a)(2)(ii): Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Audit Inquiry
Does the entity have policies and procedures in place to safeguard the facility and equipment therein from unauthorized physical access, tampering, and theft?
Does the entity safeguard the facility and equipment therein from unauthorized physical access, tampering, and theft?
Obtain and review policies and procedures related to the facility security plan. Evaluate the content in relation to the specified performance criteria for safeguarding the facility and equipment therein from unauthorized physical access, tampering, and theft.
Elements to review may include but are not limited to:
• Identification of the physical security measures in place to provide physical security protection for facilities and equipment
• Workforce members’ roles and responsibilities regarding the facility security plan
• Inventory of the entity’s facilities that house equipment that create, maintain, receive, and transmit ePHI
Obtain and review documentation demonstrating that facility security plan procedures are implemented to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Evaluate and determine if implementation of the facility security plan is being followed appropriately and is in accordance with related policies and procedures.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable