This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing ePHI (electronic Personal Health Information) covered by HIPAA.
This applies to facilities operated by the NCSA Health Care Component, such as, the Advanced Computational Health Enclave.
NCSA will track approvals and changes made to the applicable environment, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Health Care Component while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
The building manager has the only physical key and can use it to allow access for emergency personnel or if the electronic access control mechanism is broken. In these cases, they log access afterwards with a ticket assigned to the HIPAA liaison subject "Emergency Access for HIPAA Enclave". This tells who was let in, when, and why. No one is left unescorted if they are not part of the covered entity.
All other access is made with an electronic control that identifies each person individually. People given electronic access must be a part of the covered entity. The workflow for granting access is as follows.
The process for removing access can be triggered either via a role change from staff to non-staff (e.g., during the employee exit process), or at the request of the HIPAA liaison.
Maintenance requests start with the building manager who works with Facilities & Services. The process for non-emergency maintenance is as follows.