| Physical Safeguards | ||
| 164.310(a)(1) | Facility access controls: Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring properly authorized access is allowed. | |
| 164.310(a)(2)(i)
|
Have you established (and implemented as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan? (A) | |
| 164.310(a)(2)(ii)
|
Have you implemented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft? (A) | |
| 164.310(a)(2)(iii)
|
Have you implemented procedures to control and validate a person’s access to facilities based on his/her role or function, including visitor control, and control of access to software programs for testing and revision? (A) | |
| 164.310(a)(2)(iv)
|
Have you implemented policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks)?
(A) 164.310(b) |
|
| 164.310(b) | Have you implemented policies and
procedures that specify the proper functions to |
|
| be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R) | ||
| 164.310(c)
|
Have you implemented physical safeguards for all workstations that access EPHI to restrict access to authorized users? (R) | |
| 164.310(d)(1)
|
Device and media controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. | |
| 164.310(d)(2)(i)
|
Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on
which it is stored? (R) |
|
| 164.310(d)(2)(ii) | Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse? (R) | |
| 164.310(d)(2)(iii)
|
Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement? (A) | |
| 164.310(d)(2)(iv) | Do you create a retrievable, exact copy of EPHI, when needed, before moving equipment? (A) |