06-Facility Access Control
Approved by: William Voss | Effective: April 1, 2024 |
Review: Annual | Revised: |
Renewed By: | Renewed: |
Facility Access Controls
Policy Statement
It is the policy of River City TMS, PLLC to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Procedure
-
Contingency Operations §164.310(a)(2)(i)
River City TMS, PLLC shall have an established procedure that allows facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan (Policy 10: Contingency Planning) in the event of an emergency.
-
Facility Security Plan §164.310(a)(2)(ii)
The following River City TMS, PLLC procedures shall be in place to safeguard the facility and equipment therein from unauthorized physical access, tampering and theft:
- IT equipment will be stored in rooms with locking doors and will be monitored when doors are unlocked. Keys to the locked room will be held by designated staff
-
Workforce members will maintain diligence in monitoring facility access and adhering to the facility security plan.
-
State and local building codes will be observed. Manufacturer’s recommendations on the fire protection of individual hardware will be followed.
-
Access Control and Validation §164.310(a)(2)(iii)
Procedures shall be in place to control and validate a person’s access to facilities and will be based on their role or function, including visitor control and control of access to software programs for testing and revision. Visitor Log (Appendix R) will be used to track visitors.
Before granting physical access to facility or software programs, access will be approved by the Security Officer or management and tested for security purposes. Pursuant to job description changes that necessitate more or less access to ePHI or to termination, the Office Manager shall promptly notify the Security Officer by indicating the change in access on the workforce member’s Network Access Request Form (Appendix D).
The Security Officer or designee shall maintain records of physical access to sensitive facilities and will review these records periodically.
The following sites house River City TMS, PLLC assets and medical information.
Jefferson Building is located at 400 S Jefferson Street Spokane Washington 99204. The office space is owned/leased, does/does not contain external power equipment, and is a temperature-controlled environment.
-
All access doors into the building will be locked at all times, with the exception of the reception entrance door, which will be unlocked during business hours.
-
Entrance into the building via locked access doors and during non-working hours will be controlled by a security/key fob system.
-
Each workforce member will be provided a key. Sharing of a key with other workforce members or with non- workforce member will be strictly prohibited. The key will be returned upon termination of the workforce member.
-
Entrance to the building during non-working hours will be controlled by a security code system.
-
Attempted entrance without this code will result in immediate notification to the setup call tree then to the local police department.
-
Only specific River City TMS, PLLC employees will be given the security code and building entrance keys for entrance. Disclosure of the security code to non-employees will be strictly prohibited.
-
The security code will be changed on a periodic basis and eligible employees will be notified by company e-mail or voice mail. Security codes will be changed upon termination of employees who had access.
-
N/A.
-
All outside windows will have glass breakage sensors which, if tripped, will result in immediate notification to the police department.
-
The first floor of the building will have motion detection sensors that will be activated after hours. Any movement within the building will result in immediate notification to the police department.
-
The building will be equipped with security cameras to record activities in the parking lot and within the area encompassing the front entrance. All activities in these areas will be recorded on a 24 hour a day 365 day per year basis. These will be visually monitored by a security guard.
-
The reception entrance door will be unlocked and monitored at all times during business hours.
-
The door from the reception area to the clinical area will be locked at all times. It will require appropriate credentials or escort past the reception or waiting area door(s).
-
The reception area will be staffed at all times during the working hours of 8:00am to 5:00
-
Any unrecognized person in a restricted office location will be challenged as to their right to be there. All visitors will be accompanied by a staff member. Non-Organization personnel who have signed the Confidentiality Agreement (Appendix C) will not need to be accompanied at all times.
-
Visitors’ access will be monitored by by Staff member in the treatment room with them.
-
Building is secured and requires code to access side doors
-
-
Maintenance Records §164.310(a)(2)(iv)
The Office Manager/Security Officer/Facilities Manager will maintain documentation for all repairs and modifications to the physical components of River City TMS, PLLC which are related to security, such as, hardware, walls, doors, locks, etc. . Documentation shall include:
Individual authorizing repairs and/or modifications
Date of repairs and/or modifications
Workforce member responsible for repair and/or modification