Category: Privacy

Date: March 2003

Reviewed/Revised: April 2013

Purpose

To provide general guidelines for access and physical security to areas within EVMS Medical Group facilities which contain Protected Health Information (PHI).

Policy

All EVMS Medical Group facilities shall comply with federal and state requirements, including but not limited to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), regarding security of PHI in all formats through appropriate and reasonable physical access restrictions.

Procedure

  1. Identification of Individuals with Access to PHI. Each department within EVMS Medical Group shall identify all PHI within their facilities and shall be responsible for allowing access only to those individuals who have a demonstrated need to know or need to view PHI. Each department shall specifically identify individuals who have or could have access to PHI during any time period. This includes after hours, weekends and holidays.
  2. Each department shall be responsible for the following action items.
    1. Each department shall be responsible for maintaining appropriate agreements with all vendors and contractors.
    2. Each department shall devise a physical access plan to secure any area that may contain PHI through the use of locks, locking file cabinets, office configuration or physical access control systems.
  3. Vendors/Contractors. All vendors and contractors who have access to any area which may contain PHI may be required to enter into a Business Associate, Chain of Trust and/or trading Partner Agreement(s) depending on that vendor or contractor's function within the area.
  4. Individuals responsible for new building projects or modifications to existing facility must submit all plans and details of the project to the Compliance Office to determine that all records management and storage areas are designed to be in compliance with this policy.