Facility Access Controls

Policy No.                   8-27-2019 Revised Date: 

Introduction:

The following describes WSU Employee Wellness’s policy regarding the facility access controls.

Definitions:

Access: means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.  However, this definition only applies to the security standards for the protection of electronic PHI.

Business Associate: means a person who (a) on behalf of WSU Employee Wellness or on behalf of an organized health care arrangement in which WSU Employee Wellness participates, (other than in their capacity as a Workforce member of WSU Employee Wellness or the organized health care arrangement), creates, receives, maintains, or transmits protected health information for a function or activity regulated under HIPAA, including claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; patient safety activities listed at 42 C.F.R. 3.20; billing; benefit management; practice management and re-pricing; or (b) provides, other than in their capacity as a Workforce member, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for WSU Employee Wellness, or to or for an organized health care arrangement in which WSU Employee Wellness participates, where the provision of the service involves the disclosure of protected health information from WSU Employee Wellness, the organized health care arrangement, another business associate of WSU Employee Wellness, or another business associate of the organized health care arrangement.  A covered entity may be a business associate of another covered entity.  A business associate also includes (i) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information, (ii) a person that offers a personal health record to one or more individuals on behalf of a covered entity, or (iii) a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.  However, a business associate does not include (i) a health care provider, with respect to disclosures by a covered entity to the health care provider concerning treatment of an individual, is not a business associate, or (ii) a plan sponsor, with respect to disclosures by a group health plan to the plan sponsor, to the extent that the requirements of §164.504(f) of this subchapter apply and are met, (iii) a government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law, or (iv) a covered entity participating in an organized health care arrangement that performs a function, activity or service described above to or for such organized health care arrangement.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Facility: means the physical premises and the interior and exterior of a building(s).

Information system: means an interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, applications, communications and people.

Protected Health Information: means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Policy:

WSU Employee Wellness shall limit physical access to its information systems containing electronic protected health information (“PHI”) and the facilities in which they are housed.  WSU Employee Wellness shall ensure that all facilities, housing WSU Employee Wellness’s information systems containing electronic PHI, shall be secured at all times by lock and key or any other appropriate security mechanism to limit access to only authorized personnel.  

 

A. Contingency Operations

WSU Employee Wellness shall permit access to all authorized workforce members and business associates involved in the repair of WSU Employee Wellness’s information systems containing electronic PHI, and in the restoration of lost data, in accordance with WSU Employee Wellness’s contingency plans.  The Security Officer shall provide, as appropriate, such authorized workforce members and business associates access to rooms and areas containing any back-up data stored on-site or off-site.  Physical access by such individuals retrieving back-up media should be logged whenever feasible.  The log should include, to the extent possible, the name of the person, the date, the materials removed, and other appropriate details.

 

B. Facility Security Plan

WSU Employee Wellness shall safeguard its facilities and equipment from unauthorized physical access, tampering, and theft.  The Security Officer will maintain records of authorized personnel, and any device (such as a key or key card) that would allow them physical access to the facilities housing WSU Employee Wellness’s information systems containing electronic PHI.  WSU Employee Wellness requires authorized personnel to report loss or theft of any device they were given that would allow them physical access to such facilities.  WSU Employee Wellness will maintain a log of lost or stolen devices that includes, to the extent possible, the name of the person, the date, the device, and any information surrounding the loss or theft.  All routine repairs and maintenance will be done during business hours, to the extent possible, with WSU Employee Wellness’s workforce members to oversee and ensure that inappropriate access and actions are not taken.  An inventory of information resources that access or contain electronic PHI will be maintained by WSU Employee Wellness.  A reconciliation of the information resources inventory should take place annually.

 

C. Access Control and Validation Procedures

WSU Employee Wellness controls and validates a person’s access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.  WSU Employee Wellness will provide workforce members with access rights to highly sensitive areas only as needed in order to accomplish a legitimate business task.  WSU Employee Wellness will periodically review and, where necessary, revise access rights to the facilities and information systems containing electronic PHI.  WSU Employee Wellness will track, log, and maintain in a secure manner physical access to the facilities. 

WSU Employee Wellness shall instruct workforce members not to attempt to gain physical access to facilities with information systems containing electronic PHI for which they have not been given proper authorization to access.  If it is necessary for a contractor to have access to software for modification or testing, the Security Officer (or his or her designee) shall place the software on a stand-alone machine that does not allow access to WSU Employee Wellness’s information system containing electronic PHI, if possible.  If not possible, the Security Officer (or his or her designee) shall limit as much as possible the contractor’s access to only those information systems containing electronic PHI that are necessary for the contractor to perform his or her job functions.

 

 D. Maintenance Records

WSU Employee Wellness shall be responsible for overseeing that repairs and modifications to the physical components of the facility, which are related to security (for example, hardware, walls, doors and locks), are completed.