Versions Compared

Old Version 9

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 10

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel

Document Name: NCSA HIPAA Facility Security Procedures
Version: 1.0a
Accountable: Adam Slagell
Authors: Adam Slagell
Approved:   Waiting for approval by HIPAA OfficerJune 29, 2016

Table of Contents

Purpose

This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing ePHI (electronic Personal Health Information) covered by HIPAA.

...

The building manager has the only physical key and can use it to allow access for emergency personnel or if the electronic access control mechanism is broken. In these cases, they log access afterwards with a ticket assigned to the HIPAA liaison Liaison subject "Emergency Access for HIPAA Enclave". This tells who was let in, when, and why. No one is left unescorted if they are not part of the covered entity.

...

  1. Request is submitted by the building manager to the HIPAA Liaison on behalf of a staff member with the reason for the request.
  2. The HIPAA liaison Liaison checks that they are in the covered entity and approves or rejects the request.
  3. The If approved, the building manager adds the person to the access control list.
  4. The workflow is closed by the building manager. This sends an email to the building manager, HIPAA Liaison, the new staff member with access, and their manager.

The process for removing access can be triggered either via a role change from staff to non-staff (e.g., during the employee exit process), or at the request of the HIPAA liaisonLiaison.

  1. Request is submitted and goes to the HIPAA liaison Liaison for approval.
  2. Building manager receives approved request and removes access.
  3. Building manager closes the ticket. (If not closed within 24 hours or creation, Security Office is alerted). An email is sent to the person who lost access, their manager, the building manager, and the HIPAA liaisonLiaison.

Providing Access for non-Emergency Maintenance

...

  1. The building manager submits a request with a description of the maintenance request.
  2. The HIPAA liaison Liaison approves or rejects the request.
  3. If approved, the building manager submits a work order to F&S.
  4. The building manager provides an escort(s) who is a part of the covered entity and who stays with the maintenance person while in the secured area.
  5. After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
  6. The workflow is closed by the building manager. An email is sent to the HIPAA liaison Liaison and building manager. 

Physical Security in a Disaster

...

The response must be documented and given to the HIPAA liaisonLiaison. This documentation must include:

  • Any potential exposure period during which staff were not allowed new near the enclave
  • Any missing equipment or equipment that has been clearly tampered with
  • Who was responsible for watching a the equipment and during what time periods
  • How, who and when systems were moved to a secure, offline storage facility
  • Who has access to the offline storage facility

...

  1. The building manager makes sure the request has sufficient detail and approves itforwards it to the Security Office for approval
  2. The Security Office reviews the changes and evaluates the impact of the change. The request is then rejected or approved and forwards approved requests to the HIPAA Liaison for approval
  3. The HIPAA liaison Liaison approves or rejects the request.
  4. The If approved, the building manager submits a work order to F&S.
  5. The building manager provides an escort(s) who is a part of the covered entity and who stays with the maintenance person or vendor while in the secured area doing the work. 
  6. After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
  7. The workflow is closed by the building manager.  An email is sent to the HIPAA liaisonLiaison, Security Office and building manager. 

...

  1. A request to move equipment with dates and customer impacts is submitted to the HIPAA liaisonLiaison.
  2. The HIPAA liaison Liaison works with the appropriate offices to ensure the schedule works for the customers impacted.
  3. If applicable, data is backed up using a unique encryption key known to the person making the backup and the HIPAA liaisonLiaison.
  4. If leaving the secured facility, ePHI will be securely wiped and verified by the Security Office.
  5. The system will be powered-off and moved.
  6. The system will be restored and verified by system administrators.
  7. The ticket is closed by system administrators and an email is sent to the building manager, HIPAA liaisonLiaison, and others involved in the ticket or workflow.

...

Wiping is done on a dedicated workstation in the facility by a method approved by the security officeSecurity Office.

Anyone may start initiate the process to remove media from the facility, but it follows the following process.

  1. A request with the reason for removal is sent to the building manager who approves or rejects. If necessary, they fill out the RMA paperwork now.
  2. The HIPAA liaison Liaison approves or rejects the request.
  3. If approved, a system administrator in the covered entity wipes the drive and notes when and by whom it was securely wiped.
  4. The media is given to the building manager who closes the workflow and sends the drive on. Email is sent to all parties involved.

...