Facility Access Controls Policy

5. Procedures

1. FACILITY SECURITY PLAN

1.1 The Security Officer shall maintain a Facility Security Plan that documents: a diagram of the facility identifying restricted areas and public areas, the types of access control mechanisms in use at each entry point, a list of workforce members authorized to access each restricted area, and procedures for granting, modifying, and revoking physical access.

1.2 Restricted areas shall include at minimum: server rooms or network closets, areas where paper records containing PHI are stored, workstation areas not visible to or accessible by the public, and any area containing backup media, portable devices, or medical devices connected to the network.

2. ACCESS CONTROL AND VALIDATION

2.1 All entry points to restricted areas shall be secured with [ACCESS CONTROL METHOD — e.g., key card system, cipher lock, keyed lock, biometric scanner].

2.2 Access credentials (keys, key cards, access codes) shall be issued only to workforce members who require access for their job duties. The Security Officer shall maintain a log of all issued credentials.

2.3 Access codes shall be changed at least [QUARTERLY/SEMI-ANNUALLY] and immediately when a workforce member with access is terminated.

2.4 The main entrance shall be monitored by [METHOD — e.g., front desk receptionist during business hours, locked exterior doors with intercom after hours].

2.5 Control of Access to Software Programs (164.310(a)(2)(iii)): In addition to controlling each person's physical access to facilities based on their role or function, [PRACTICE NAME] shall control access to software programs for purposes of testing and revision. Only authorized IT personnel or approved vendors shall be permitted to access, test, modify, or revise software programs that create, receive, maintain, or transmit ePHI. Such access shall be granted based on role and documented business need, removed when no longer required, and testing/revision activities shall be performed in accordance with change-management procedures (e.g., using non-production environments where feasible and logging changes).

3. VISITOR MANAGEMENT

3.1 All visitors shall sign in at the front desk and receive a visitor badge.

3.2 Visitors in restricted areas shall be escorted by an authorized workforce member at all times.

3.3 Visitors shall sign out and return badges upon departure.

3.4 The Visitor Log shall be retained for a minimum of [NUMBER] years.

4. MAINTENANCE AND REPAIRS

4.1 Maintenance personnel (cleaning crews, HVAC technicians, IT contractors) shall be escorted in restricted areas or, if unescorted, shall have completed a background check and signed a confidentiality agreement.

4.2 The Security Officer shall maintain a Maintenance Records log documenting: maintenance personnel identity and company, date and time of access, areas accessed, and work performed.

5. CONTINGENCY OPERATIONS

5.1 Procedures for facility access during emergencies shall be documented as part of the Contingency Plan. This includes: procedures for securing the facility during and after an emergency (e.g., fire, flood, power outage), alternate access procedures if the primary access control system fails, and procedures for verifying the integrity of physical security after an emergency.

6. ENVIRONMENTAL CONTROLS

6.1 Server rooms and areas containing critical systems shall be equipped with: appropriate temperature and humidity controls, fire detection and suppression systems, water/flood detection sensors (where applicable), and uninterruptible power supply (UPS) for critical systems.

6.2 The IT Manager shall monitor environmental controls and document any incidents or failures.

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Maintains the Facility Security Plan. Manages the access credential issuance and revocation process. Reviews the Visitor Log and Maintenance Records. Conducts periodic facility security assessments.

Front Desk Staff: Manages the visitor sign-in/sign-out process. Issues and collects visitor badges. Verifies visitor identity and purpose. Alerts the Security Officer to any security concerns.

IT Manager/Vendor ([IT CONTACT NAME]): Maintains access control systems (key card system, door locks, surveillance). Monitors environmental controls in server rooms. Reports security concerns to the Security Officer.

All Workforce Members: Follow physical access procedures. Escort visitors in restricted areas. Do not prop open secured doors or share access credentials. Report any physical security concerns to the Security Officer.

7. Review Schedule

This policy and the Facility Security Plan shall be reviewed at least annually, and whenever changes to the facility occur (e.g., office renovation, expansion, relocation, change in access control systems).

8. Regulatory References

45 CFR § 164.310(a)(1) — Facility access controls (Required) 45 CFR § 164.310(a)(2)(i) — Contingency operations (Addressable) 45 CFR § 164.310(a)(2)(ii) — Facility security plan (Addressable) 45 CFR § 164.310(a)(2)(iii) — Access control and validation procedures (Addressable) 45 CFR § 164.310(a)(2)(iv) — Maintenance records (Addressable)