It is the policy of UW–Madison that the units of the UW HCC and each unit within UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”) ensure the confidentiality, integrity, and availability of all protected health information by establishing the following documentation and procedural requirements.
- Implement procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. The following components must be included in order to form a complete facility security plan:
- Implement procedures to limit a person’s physical access to restricted or sensitive areas based on their role.
- The procedures must permit access to electronic protected health information for contingency operations in accordance with the unit’s continuity of operations plan, as described in UW-127 HIPAA Security Contingency Planning.
- Physical access to restricted areas is limited to only those authorized in accordance with those procedures.
- All workforce members are responsible for reporting an incident of unauthorized access to restricted areas as described in UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
- Implement procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, walls, doors, locks, and other hardware intended to limit physical access). In managing and monitoring the security of the facilities and in planning and performing such maintenance, repairs, or modifications, the unit will:
- Identify material increases in security risks to protected health information;
- Reduce those increased risks to the extent feasible;
- Monitor for additional material increases in security risks; and
- Properly document the project.
- Responsibility for compliance with specific aspects of this policy in specific circumstances will be assigned in the unit’s safeguard implementation plan (or the equivalent) as described in UW-124 HIPAA Security Risk Management.
Security of Restricted Areas
- Restricted areas and facilities are locked or otherwise secured when unattended.
- Only authorized workforce members and vendors receive keys, card access, or access codes to access restricted areas, as authorized by the unit’s HIPAA security coordinator, or designee.
- Workforce members or vendors are required to return the key(s) to the designated office or individual (such as the Human Resources department or supervisor) on their last day of employment/last day of contracted work or services being provided.
- Workforce members and vendors must report a lost or stolen key or access card as described in UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
- When a key is reported lost or stolen the facilities/building services/security manager facilitates the changing of the lock(s) within one business day. Access codes and card access are adjusted as soon as possible when an access card is reported lost or stolen or there are changes to those authorized to access the area.
Persons Allowed in Restricted Areas
- Workforce members as approved by their supervisor and as needed to perform their job duties.
- Vendors who are on a long-term contract once oriented to the areas, without an escort.
- Other vendors with an escort into and out of the restricted areas.
- Other visitors (not vendors) with an escort into, out of, and while moving around within restricted areas.
Enforcement of Access to Restricted Areas
- When a workforce member discovers an unauthorized person or persons accessing or attempting to access a restricted area, do not attempt to detain them or to investigate the incident. Instead, do one of the following
- If you believe it is safe to do so, immediately and politely inquire about where they are intending to go, escort them out of restricted areas and escort or direct them to the area they are trying to get to.
- If you believe it might be unsafe to approach, interact, or continue to interact with them, get to a safe place as quickly as it is safe to do so and dial 911 to report an intrusion.
In either case, follow up by reporting the unauthorized access as described in III.2 below.
- Report unauthorized access to restricted areas or other violations of this policy as described in UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
- Workforce members in violation of this policy may be subject to disciplinary action as described in UW-138 Responding to Employee Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules.
- Vendors in violation of this policy may be subject to termination of services.
- Other visitors in violation of this policy may be subject to the loss of visiting privileges.
Security of Sensitive Areas
- When a sensitive area is unattended and unlocked/unsecured, all media containing protected health information must be either or both of:
- Locked in storage closets, cabinets, or other secure containers that are treated as restricted areas; or
- Encrypted according to UW-132 HIPAA Security System Access.
- All workstations or other devices within sensitive areas that store or process electronic protected health information must be secured as described in UW-132 HIPAA Security System Access.
Identifying PHI Security Risk(s) When Changing the Physical Facilities
Prior to approving plans to repair, modify, or schedule maintenance of physical facilities, the lead project coordinator works with the facilities/building services/security manager to determine whether the scheduled maintenance, repairs, changes, or construction process itself materially increases the security risk to protected health information. These security risks include, but are not limited to, work completed on the internal and/or external perimeter of the facilities (entryways, doors, locks, controlled access systems, walls, removing windows, etc.) and may result in:
- Material potential to limit or remove an authorized user’s ability to access workstations or other devices in which protected health information is created, received, maintained, or transmitted during regularly scheduled hours and at regularly scheduled locations.
- Material increases in the potential for unauthorized access to protected health information.
- Other material increases in risk to the confidentiality, integrity, or availability of protected health information.
An increase in risk is material if the risk determination changes from “low” to “medium” or from “medium” to “high” as measured by the risk assessment procedure currently in use (such as the example risk assessment procedure described in UW-124 HIPAA Security Risk Management).
Reducing PHI Security Risks(s) When Changing the Physical Facilities
If the changes to the physical facilities indicate a material increase in the security risk to protected health information as described in V. above, the lead project coordinator works with the facilities/building services/security manager to amend the plans to contain the following conditions:
- All users that need access to protected health information have access to it during their regularly scheduled hours. If, however, any user will not have access to protected health information during their regularly scheduled hours, the lead project coordinator notifies that user’s supervisor prior to the unavailability of the information. The lead project coordinator and supervisor develop a plan to accommodate necessary changes. Document all decisions made and followed as required in this policy.
- If the plans increase the potential for unauthorized access to protected health information, the lead project coordinator works with the facilities/building services/security manager, unit IT department, and supervisors, to identify ways to secure protected health information throughout the project from unauthorized access. Document all decisions made and followed as required in this policy.
- If the plans otherwise increase risk to the confidentiality, integrity, or availability of the protected health information, the lead project coordinator works with facilities/building services/security manager, unit IT department, and supervisors, to identify ways to secure protected health information throughout the project. Document all decisions made and followed as required in this policy.
Monitoring for Additional Risks When Changing the Physical Facilities
- During the course of the project, the lead project coordinator continuously monitors the project and immediately notifies facilities/building services/security manager, unit IT department, and supervisors of any material increase in security risks to protected health information (including printed media.).
- If a violation of HIPAA security policies and procedures is identified, it is reported and investigated according to UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.