By Iseman Cunningham Riester & Hyde LLP
Covered Entities must implement policies and procedures for documenting repairs and modifications to the physical components of a facility related to security. The “maintenance records” requirement is an addressable implementation specification under the Facility Access Controls standard. Covered Entities must implement the specification unless it is inappropriate or unreasonable and cannot be met through an alternative measure.
Numerous specifications require Covered Entities to evaluate and update physical components of their security systems. (See Tips #13, #14, and #16.) The maintenance records specification requires a Covered Entity to maintain records of the installation, modifications and updates, routine maintenance, and repair of these components.
Virtually all Covered Entities will employ some physical components related to security. The regulations cite “hardware, walls, doors and locks” as examples of physical components related to security. Depending on the size of the Covered Entity, physical components could also include grounds security (gates, alarms, and communication systems), building security (doors, walls, hardware, window bars, locks, fireproofing, sprinkler systems, and smoke detectors), equipment and devices used by security personnel (televisions, monitors, radios, pagers), and information system security (computers, servers, back up systems).
Maintenance records are an excellent way to demonstrate security compliance efforts. Maintenance records can be used to document the installation of security measures, the monitoring and update of the systems, and action taken in the event of a detected breach or weakness in the systems.
Do not limit maintenance records to a simple log of repairs and updates. Very often maintenance will be conducted by a third party, presenting the risk of introducing unauthorized persons into the facility and/or systems. Where appropriate and reasonable, Covered Entities should screen and supervise persons providing maintenance services. Make records of screening and supervisory efforts part of the maintenance records, too.
As noted in Tip #11, at times a Covered Entity relies upon a third party, such as a landlord, to provide and maintain a physical component of security. Contacts with the third party regarding installation, updating and repair of physical security components should be documented and included in maintenance records.
As the Security Rule provides no specific time frame for retaining maintenance records, the general Privacy and Security rule standard of six years would assure compliance.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.
