Document Name: NCSA HIPAA Facility Security Procedures |
This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing ePHI (electronic Personal Health Information) covered by HIPAA.
This applies to facilities operated by the NCSA Health Care Component, such as, the Advanced Computational Health Enclave.
NCSA will track approvals and changes made to the applicable environment, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Health Care Component while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
The building manager has the only physical key and can use it to allow access for emergency personnel or if the electronic access control mechanism is broken. In these cases, they log access afterwards with a ticket assigned to the HIPAA Liaison subject "Emergency Access for HIPAA Enclave". This tells who was let in, when, and why. No one is left unescorted if they are not part of the covered entity.
All other access is made with an electronic control that identifies each person individually. People given electronic access must be a part of the covered entity. The workflow for granting access is as follows.
The process for removing access can be triggered either via a role change from staff to non-staff (e.g., during the employee exit process), or at the request of the HIPAA Liaison.
Maintenance requests start with the building manager who works with Facilities & Services. The process for non-emergency maintenance is as follows.
If there is a disaster that causes the access control mechanisms to fail open, University staff may or may not be allowed near the facility for some time. When they are allowed back, the building manager is responsible for providing physical security to any remaining systems until controls are restored. This may mean that a person within the covered entity is physically watching the area or that equipment is moved to secure, offline storage.
The response must be documented and given to the HIPAA Liaison. This documentation must include:
A request to modify physical security controls can start with the building manager, Security Office or HIPAA Liaison. The workflow is as follows.
If equipment with ePHI is moved, it must stay within the secured facility or be moved to another secured facility. The following process is followed.
Media must be sanitized before disposal outside of the secure facility. This includes returning disks to vendors or repurposing equipment.
Wiping is done on a dedicated workstation by a method approved by the Security Office.
Anyone in the covered entity may initiate the process to remove media from the facility, but it follows the following process.
The requestor will be sent instructions on how to securely transport the media out of the restricted area to the security team, using a secure container.
Container shall be locked with a key kept in the secure area.
Container will be transported to the security team for wiping / destruction.
The security team will unlock with second key kept at wiping / destruction station.
Each device will be wiped or destroyed per Security Office policy
The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container to the secure area area.
The media is given to the building manager who closes the workflow and sends the drive on. If necessary, they have the original requestor fill out the RMA paperwork.