1.  The facility must have assigned security responsibility to manage and supervise the execution and use of security measures to protect data and to manage and supervise the conduct of personnel in relation to the protection of data.

2.  The facility must provide a documented plan to control media entering and exiting the facility that must include access control, accountability, data backup, and data storage and disposal.

3.  The facility must provide and document physical access controls to limit physical access to the entity while allowing proper authorized access to information. This must allow for disaster recovery to restore any loss of data due to fire, vandalism, natural disaster, or system failure; a contingency plan to allow operation in the event of fire, vandalism, natural disaster, or system failure; security procedures controlling and documenting the receipt and removal of hardware and software into the facility; a facility security plan to prevent unauthorized physical access to the premises; procedures for verifying access authorizations and privileges before granting physical access; maintenance records; principles defining need-to-know procedures; procedures to sign in visitors and provide escort services, if appropriate, and a means of logging such activity; and testing and revision authorizations to restricted, authorized personnel.

4.  The facility must develop policies and guidelines governing workstation use outlining the proper functions to be performed, the manner in which they are performed, and the physical attributes of the area surrounding the workstation dependent on the sensitivity of the information accessed from that site.

5.  The facility must assure the physical security of workstation locations to eliminate or minimize the possibility of unauthorized access to information.

The facility must provide information security awareness training to all employees, agents, and contractors. Customized training must be provided to focus on issues regarding the use of health information and responsibilities regarding confidentiality and security.

• Designate an official responsible for monitoring and/or allowing physical access to areas in which protected health information (PHI) is utilized or maintained and develop specific clearance authorization protocols for each area where PHI is stored or maintained. This should outline criteria for selection of individuals who will be granted access on a need-to-know basis.
  
• Develop procedures describing the means by which media is brought into the facility, removed from the facility, or destroyed once it is no longer required to be maintained. Logs should be maintained to facilitate tracking of these activities.
  
• Develop a contingency plan to facilitate operation in the event of a disaster or system failure as well as to recover from a disaster.
  
• Maintain a visitor log to identify individuals entering the facility to allow for investigative tracking should a suspected security breach occur due to an unauthorized intruder.
  
• Situate workstations in a fashion that will maintain confidentiality and security of sensitive health information. Provide physical barriers and/or privacy screens as appropriate to prevent unauthorized access or casual viewing of PHI.
  
• Where possible, place workstations in a room that can be locked to prevent unauthorized access to PHI located on that particular workstation. In instances where the area cannot be locked, surveillance should be present whether by security personnel, authorized workstation users/co-workers, or by monitoring devices.
  
• Develop policies and procedures governing the physical security of portable computing devices, such as laptop computers or PDA's, to assure that PHI stored on these devices is not disclosed to unauthorized personnel by theft, loss, or casual viewing if the device is transported off the facility's premises. These policies should also include provisions for safety of these devices in the event of theft, loss, or damage, so that the data may be recovered and restored.
  
• Develop policies and procedures for the proper disposal of paper documents, labeled containers (e.g. IV bags, specimen bottles) and removable storage media (tapes, floppy disks, CD's, zip disks) containing PHI.
  
• Develop policy and procedure for controlling the issuing and return of keys/access cards.
  
• Provide adequate environmental controls for locations containing computer/networking equipment.
  
• To reduce risk associated with power problems, provide surge protectors, uninterruptible power supplies (UPS's) and/or emergency power for devices used to access PHI, as appropriate.
  
• Develop customized training and awareness programs as described in the "Security and Awareness Training" policy.

Physical barriers intended to protect this information will be implemented to guard against theft, destruction, unauthorized viewing, etc. These barriers may include the installation and use of doors/fire doors, security windows, locks, desk counters, safes, room dividers, or sound-dampening rooms. Diversion tactics such as placement of a television, magazines, radio, etc., in high-risk areas may also be utilized to distract unauthorized casual listeners from overhearing conversations or from seeing privileged information. Orientation of workstations, monitors, or other devices that may display health information should be situated to face away from areas that may possibly allow for disclosure of PHI to unauthorized individuals.

Portable computing devices, such as laptop computers or PDA's, containing the facility's PHI or other confidential information shall be monitored and kept secure at all times by the individual to whom the device is provided, whether the device is owned/leased by the individual or loaned/checked-out to the individual. It is the responsibility of the individual possessing the equipment to prevent the item from being lost, stolen, or damaged, and to prevent the information stored within the device from being disclosed to unauthorized individuals.

The facility will adhere to its contingency plan that will enable the organization to continue to operate securely in the event of a system failure or disaster. The plan will also outline a plan of recovery should a failure or disaster occur.

An education, training, and awareness program will be instituted to instruct staff, agents and contractors of the aspects of proper physical security. This training and awareness shall be offered periodically to remind staff, agents, and contractors of the importance of physical security.