Building Security—More Than Just Locks on the Doors: HIPAA & HITECH Act Blog by Jonathan P. Tomes

In this digital world, forgetting about something as low-tech as physical security of the building in which a covered entity or a business associate is housed is often way too easy. The Security Rule addresses physical security in these four sections:

  1. Facility Access Controls, § 164.310(a)(1).
  2. Workstation Use, § 164.310(b).
  3. Workstation Security, § 164.310(c).
  4. Device and Media Controls, § 164.310(d)(1).

The only one of these four sections that relates to building security is the first one—that is, facility access controls. It requires covered entities and business associates to “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.” Within the Facility Access Controls standard are the following four implementation specifications, all addressable, which, simply stated, means that the covered entity or business associate must comply with them only if it is reasonable and appropriate to do so:

  1. Contingency Operations. How do you get into the building during an emergency?
  2. Facility Security Plan. This policy tells who is responsible for the security of the facility and what his/her/their duties are.
  3. Access Control and Validation Procedures. This policy specifies who is responsible for assigning, revising, and terminating access and how.
  4. Maintenance Records. Records of facility security repairs and modifications, such as changing locks, making routine maintenance checks, and installing new security devices.

But building security encompasses more than just locks on the doors and perhaps bars on the windows or even security cameras or an alarm system. You must also consider other aspects of physical security in a risk analysis of a building or office.

One physical security expert suggests that the way to look at doing a risk analysis of a building is to consider the primary services supporting the building, which could include the following:

  • Electricity.
  • Industrial controls.
  • IT communications.
  • Waste/waste treatment/sewer.
  • Water.

Ernie Hayden, Techtarget Network, “How to conduct a security risk review on a large building,” May 9, 2019, at

Obviously, not all of these elements are involved in HIPAA security—that is, the security of health information and the system that it resides in or is transmitted over. For example, the waste element is inapplicable unless you are storing paper records to be picked up by the shredding service on a loading dock. One covered entity that this author audited simply put the boxes of paper records on the sidewalk outside the back door. Was that scenario an invitation to a seven-figure fine like the one that CVS pharmacy suffered for putting paper records into a dumpster? If you are placing such records on a loading dock, is the loading dock physically secure from unauthorized access while the health records are stored there waiting to be picked up?

But the physical security of electrical conduits may also need a risk analysis. What if a vandal can sever them, leaving the electronic medical record without power? Even if you have emergency electric power/backup, loss of primary power will immediately cause degraded performance of most, if not all, building systems, including IT systems. What happens if your card keys can’t open the doors because the power is out?

Industrial controls could involve such things as HVAC. What happens if they are attacked resulting in the cooling system in the file server room failing? Something to consider in your building risk analysis.

Tools to help in your building risk analysis include, but are not necessary limited to, the following:

  • Copies of building floor plans from roof to basement.
  • Procedures for taking manual control of building subsystems, such as cooling, lighting, etc. to maintain operations.
  • Online diagrams:
    • Electric power (normal and emergency).
    • Building management system (“BMS) controls network.
    • IT and telecom communications.

If you are leasing space, you may need to ensure that you can access these documents from the landlord before entering into the lease.

A White Paper by Steven Rinaldi, James Peerenboom and Terrence Kelly,  “Identifying, Understanding and Analyzing Critical Infrastracture Interdependencies,” at, may be helpful in doing your risk analysis.

So remember, security refers to more than just having good passwords, firewalls, encryption, and the like. You must also consider the physical security of the environment that you operate in. And make sure that you include all of those elements in every risk analysis, especially if you change buildings, storage facilities, and so forth.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate. And  make sure that you include building security in your risk analysis.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.

seo by: k.c. seo