Scare Away the Unwanted: Four Facility Access Controls You Need!

Safeguarding the pharmacy’s Protected Health Information (PHI) is critical. Cyberattacks receive a lot media attention and a brief discussion of the threat to community pharmacies can be found in the June 2024 Newsline article, Independent Pharmacies are NOT Safe from Cyberattacks. The HIPAA Privacy and Security Rules require pharmacies to take a multi-faceted approach to securing the pharmacy’s PHI. With the release of the August 2024 Office for Civil Rights (OCR) Cybersecurity Newsletter (which focuses on the HIPAA Security Rule Facility Access Controls) now is a great time to review information about this safeguard.

The fundamental requirement of Facility Access Controls [as per 45 CFR 164.310(a)(1)] is to “[i]mplement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” Under the Facility Access Controls, there are four addressable implementation specifications to which a covered entity and/or business associate must assess whether it would be reasonable and appropriate for them to adopt an implementation specification as an appropriate safeguard for their environment. If it is appropriate, they would implement it and if it is not reasonable or appropriate, they would document why and implement an equivalent alternative measure if reasonable and appropriate. Below is a table which outlines the four addressable implementation specifications for Facility Access Controls, what they are, and suggestions for pharmacies.

Implementation Specification	Explanation¹	Practical Application for Pharmacy
Contingency operations	Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.	A plan to respond to emergencies such as natural disasters (e.g., floods, earthquakes, tornados, hurricanes, fires) and malicious attacks like hacking or malware, and human error (e.g., accidently disabling critical systems or deleting data) Includes plans such as which workforce members will be allowed access during Emergency Mode Operation, how to prevent ePHI from being compromised during an emergency or disaster and plans to maintain and access ePHI during restoration activities.
Facility security plan	Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.	Possible elements to integrate into this area would be security alarms to detect and deter unauthorized access, pharmacy barriers such as doors/gates/walls to block physical access without proper keys, video recording surveillance system, hardware which contains ePHI is secured or locked to its location within the pharmacy to prevent removal and portal hardware and media is kept secured or locked when not in use or under direct control.
Access control and validation procedures	Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.	Utilize a sign-in log for vendors, maintenance workers, etc. and ensure the individual(s) remains under direct supervision while in your professional service and access is only granted after a Business Associate Agreement is signed. Require all non-employee visitors (e.g., volunteers, students, etc.) to successfully complete HIPAA training prior to access to pharmacy professional services areas.
Maintenance records	Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).	Maintain a record of all repairs and modifications to the physical components of the pharmacy related to security such as walls, doors, locks and hardware. For each repair/modification, record (at a minimum) the date and time, description, reason, name of the person(s) responsible for the work, and the individual responsible for overseeing the work.

¹45 CFR 164.310

PAAS Tips:

Failure to implement Facility Access Controls can increase a pharmacies vulnerability to data breaches and theft
Documentation related to HIPAA must be maintained for a minimum of 6 years from the date of its creation or the date when it was last in effect, whichever is later
A PAAS Fraud, Waste and Abuse and HIPAA Compliance Program membership addresses all of the implementation specifications for Facility Access Controls listed above within a customized Policy and Procedure Manual. Staff will also have access to Cybersecurity Training and much, much more!

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

OptumRx® Provider Manual Updates May Shift Audits – Especially LTC - October 11, 2024
Scare Away the Unwanted: Four Facility Access Controls You Need! - October 3, 2024
What FWA and HIPAA Compliance Elements are Necessary for Interns, Job Shadows, Floating Staff, Cashiers and Delivery Drivers? - September 15, 2024