Physical access controls § .308(b)(3)
...(limited access) (formal, documented policies and procedures to be followed to
limit physical access to an entity while ensuring that properly authorized access is
allowed) that include all of the following implementation features:
(i) Disaster recovery (the process enabling an entity to restore any loss of data in
the event of fire, vandalism, natural disaster, or system failure).
(ii) An emergency mode operation (access controls in place that enable an entity
to continue to operate in the event of fire, vandalism, natural disaster, or system
(iii) Equipment control (into and out of site) (documented security procedures for
bringing hardware and software into and out of a facility and for maintaining a
record of that equipment. This includes, but is not limited to, the marking,
handling, and disposal of hardware and storage media.)
(iv) A facility security plan (a plan to safeguard the premises and building
(exterior and interior) from unauthorized physical access and to safeguard the
equipment therein from unauthorized physical access, tampering, and theft).
(v) Procedures for verifying access authorizations before granting physical
access (formal, documented policies and instructions for validating the access
privileges of an entity before granting those privileges)
(vi) Maintenance records (documentation of repairs and modifications to the
physical components of a facility, such as hardware, software, walls, doors, and
(vii) Need-to-know procedures for personnel access (a security principle stating
that a user should have access only to the data he or she needs to perform a
(viii) Procedures to sign in visitors and provide escorts, if appropriate (formal
documented procedure governing the reception and hosting of visitors).
(ix) Testing and revision (the restriction of program testing and revision to
formally authorized personnel).
AMC Explanation of HIPAA Regulation
Each covered entity is required to establish formal, documented policies and procedures for
limiting physical access while ensuring that properly authorized access is allowed. Mandatory
implementation features also include plans for emergency operation and disaster recovery as well
as for testing and revision.
Category I Guidelines-Actions must be taken to address these