This is a FREE sample of a Pharma Privacy Watch reprint.
Reprint available for $75.00
HIPAA Final Security Rule
Interactive Matrix
§ 164.310: PHYSICAL SAFEGUARDS
1R=Required; A=Addressable (See Implementation Specifications)
§ 164.310 Physical safeguards.
A covered entity must, in accordance with § 164.306:
(2) Implementation specifications:
(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
Back to Matrix...
(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Back to Matrix...
(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
(2) Implementation specifications:
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
For information about ordering the complete reprint (VS006) or subscribing to Pharma Privacy Watch, see Order Form.
Online credit card orders are processed by PayPal. How does PayPal work?
Note from preamble: The matrix displays, in tabular form, the administrative, physical, and technical safeguard standards and relating implementation specifications described in this final rule in § 164.308, § 164.310, and § 164.312. It should be noted that the requirements of § 164.105, § 164.314, and § 164.316 are not presented in the matrix.
Standards
Sections
Implementation Specifications1
Facility Access Controls
164.310(a)(1)
Contingency Operations
Facility Security Plan
Access Control and Validation Procedures
Maintenance Records
(A)
(A)
(A)
(A)
Workstation Use
164.310(b)
Std includes all necessary instructions for
implementation
(R)
Workstation Security
164.310(c)
Std includes all necessary instructions for
implementation
(R)
Device and Media Controls
164.310(d)(1)
Disposal
Media Re-use
Accountability
Data Backup and Storage
(R)
(R)
(A)
(A)
(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Back to Matrix...
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
John Mack, Editor
VirSci Corporation
PO Box 760
Newtown, PA 18940
215-504-4164, 215-504-5739 FAX
johnmack@virsci.com