I. Scope & Applicability
This policy applies to Stanford University HIPAA Components (SUHC) facilities that house information systems that maintain electronic protected health information (ePHI).
Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.
II. Policy Statement
SUHC will limit physical access to its information systems that contain ePHI by implementing reasonable and appropriate measures to allow only authorized persons to access the facilities in which those information systems are housed.
III. Principles
- Access Control and Validation. SUHC will implement the following procedures to limit access to facilities or areas within a facility (“facility”) that are covered by this policy to authorized persons whose identities have been adequately validated.
- Facility Access Control Management. For each facility covered by this policy, the manager responsible for facility security will serve as or delegate responsibility for:
- Facility Access Granting Authority – the person(s) having the authority to approve facility access rights for workforce members, business associates, or visitors.
- Facility Access Control Administration – the person(s) or group responsibility for administering the access control function for each facility (e.g., the distribution, retrieval, and tracking of keys or passcodes).
The Facility Access Control Administration will document facility access requests and approvals, and execution of access control mechanisms (e.g., distribution of keys, passcodes) and will retain documentation for a period of at least six years after the documented actions are no longer in effect (e.g., six years following revocation of access granting rights or facility access rights).
- Facility Access Rights. The Facility Access Granting Authority will grant access to equipment rooms and other facilities only to those persons (e.g., workforce members, business associates, visitors) that have a legitimate need to access the facility because of their roles or job functions. Facility access rights will be revoked or modified upon termination or change in access needs.
- Facility Access Validation. The SUHC local facility manager will establish in accordance with the Facility Security Plan (refer to Section III.C) control mechanisms and/or authentication procedures to validate a person’s identity and authority to access facilities based on current facility access rights. Visitors and workforce members whose roles do not require access to facilities or areas covered by this policy will be prohibited access unless they are authorized temporarily and accompanied by an appropriately authorized person.
- Facility Access Control Management. For each facility covered by this policy, the manager responsible for facility security will serve as or delegate responsibility for:
- Contingency Operations – Emergency Access. In the event of an emergency or disaster, SUHC will modify facility access to support execution of contingency plans for information systems maintained in the facility, and Emergency Operations Center (EOC) and associated Satellite Operations Center (SOC) activities, as applicable.
- SUHC will identify for each facility (i) the authority in charge and (ii) the persons or classes or persons (e.g., workforce members, business associates, visitors) that may need facility access based on the nature and severity of an emergency or disaster.
- SUHC will develop for each facility a process to regulate access in the event of an emergency or disaster including a manual authentication process, if appropriate, to be implemented in the event that electronic means cannot be used.
- SUHC will test the emergency access processes periodically to substantiate that the workforce are aware of and can immediately respond in the event of an emergency or disaster.
- SUHC will document the emergency access processes in the Facility Security Plan, as outlined in Section III.C, below.
- Facility Security Plan. SUHC will create and document a plan for each facility or group of facilities that are subject to this policy to safeguard the equipment therein from unauthorized physical access, tampering, and theft and to support restoration of lost data.
- Facilities Requiring a Security Plan. SUHC will create a Facility Security Plan for each facility that houses information systems containing ePHI, including:
- Data Centers (i.e., dedicated buildings or areas therein that house networked servers used for file storage, application hosting, data processing and other computing functions);
- Peripheral equipment locations (i.e., locations outside of data centers housing file and application servers, network switches and routers, storage arrays and similar types of devices);
- Offices that contain technical data that could be used to compromise the security of information systems that maintain or are used to access ePHI.
- Facility Security Plan Contents. Each Facility Security Plan will address:
- Exterior Safeguards. Methods and procedures for safeguarding exterior of premises and buildings (e.g., installation of locks, surveillance cameras, fire doors, alarms or other access control devices, access control authorization and validation, visitor registration procedures), including both public and non-public entrances and exits;
- Interior Safeguards. Methods and procedures for safeguarding the interior of premises and buildings (e.g., installation of locks, alarms or other access control devices for interior doors, intrusion detection devices, access control authorization and validation);
- Equipment Safeguards. Procedures for safeguarding equipment contained within facilities and on premises (e.g., isolation of equipment; controls to guard against theft, power surges and outages, fire and other types of damage);
- Access Monitoring. Methods and procedures for collecting, retaining and reviewing facility access records (e.g., facility access logs, surveillance tapes); and
- Contingency Operations Plans. Procedures necessary to execute the disaster recovery and emergency operations mode plans (e.g., emergency access procedures).
- Facility Security Plans Review. Upon request, the Stanford University Chief Information Security Officer or delegate or Internal Audit may review a Facility Security Plan. The Plan creator will review the Plan at least on an annual basis or when material modifications are made to the Plan.
- Documentation Retention. Each Facility Security Plan will be retained for a minimum of six years from the date when it was last in effect.
- Facilities Requiring a Security Plan. SUHC will create a Facility Security Plan for each facility that houses information systems containing ePHI, including:
- Maintenance Records. SUHC will document repairs and modifications to the physical components of a facility that are related to security (e.g., walls, doors, locks, card access system components, badge readers, surveillance cameras). The maintenance records will provide:
- Reason for the repair(s) or modification(s)
- The nature of what was repaired or modified
- The name and affiliation of the business associate or other organization engaged to perform the work, if applicable
- The name and affiliation of the technician or other professional who performed the work
- The date(s) that the work was performed and completed
- The manager who authorized the work
- The manager who approved the completion of the work
- Movement of Equipment To/From Facilities. For policy regarding the movement of equipment that contains PHI either into or out of a facility, refer to the SUHC HIPAA Security: Computing Devices and Electronic Storage Media Policy.
IV. Procedures
Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.
V. Exceptions
Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.
VI. Related Documents
- SUHC HIPAA Security: Information Access Controls Policy
- SUHC HIPAA Security: Computing Devices and Electronic Storage Media Policy
- SUHC HIPAA Security: Contingency Planning Policy
VII. Document Information
- Legal Authority/References
Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.310(a) - Contact for Questions Related to this Policy
Stanford University Chief Information Security Officer
securityofficer@stanford.edu - Document Review History
Version Date Modified Comments 0.7 05/24/2005 Yes Draft 1.1 11/23/2015 Yes Reviewed and updated by Aaron Arutunian
This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.