CMA: Physical Security for Large Organizations

 Disclaimer:  CMA/PrivaPlan PrivaGuide: Physical Security for Large,  Complex Organizations.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 

PrivaGuide: Physical Security for Special Considerations for Large Organizations
 By David Forbes





HIPAA requires that each covered entity provide for the physical security of the organization’s premises. Specifically, this means:


You must develop formal documented policies and procedures to limit physical access to the premises.
You must have a disaster recovery plan that details how you will continue operation in the event that your facility becomes unavailable due to vandalism, natural disaster, etc.
You must ensure that access controls work even when you are operating in “emergency mode” (that is, after a fire, flood or other disaster).
You must have documented procedures for bringing hardware and software into and out of a facility.
You must develop a physical security plan (a plan to safeguard the premises from unauthorized physical access).
You must have formal, documented policies and instructions for validating access authorization before granting access privileges.
You must keep records of repairs and modifications to the physical components of your facility.
You must establish “need-to-know” personnel access procedures.
You must have “sign-in” and “escort” procedures, as appropriate.
You must restrict program testing and revision to authorized personnel.


Making life easy with templates:


Maintaining good records may be the only way to prove your real effort toward compliance. Handwritten notes or free text entry on electronic media can lead to confusion and misleading impressions. In the process of publishing physical security documentation, multiple-choice check boxes in template format will help to reduce that risk.  For example, a document authorizing limited access privileges – even the negative statement confirming that a person has no independent access privileges – can be covered with a series of boxed descriptions of the type of access by location, and then checked before authorizing. Authorized parties acknowledge, sign and date the document.



How to do this:


In this section we document some practical suggestions for implementing your compliance procedure.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.



Developing Policies and Procedures for Access Control


Implementation Suggestions:


Appoint a physical security coordinator or security official (preferably somebody from management).

The security coordinator is responsible for ensuring that the organization is not exposed to security or compliance liability threats. They also help maintain the right balance between HIPAA compliance budgetary considerations and operational practices. A training course in security education and awareness, communications efficiency, and strategic use of technology will be a wise investment for this person. Ideally, the security coordinator will emerge as an expert guide, mentor, and coach, while directly managing the key components of the security program such as orientation, training, record keeping, procurement and audit disciplines. In HIPAA, the security coordinator is called the HIPAA Security Official (or HIPAA compliance official if one person is in charge of both Privacy and Security compliance).



Publish a facility security manual or dedicate a section of the general policy and procedures manual to physical security. The function of published policy is to explain why security rules and procedures are necessary, to encourage employee support, and to allow the employer to demonstrate the effort toward HIPAA compliance. In order to remain credible, the document must describe the executive authority for policy enforcement and implementation, with designated names that are kept up-to-date.


The guide should incorporate such objectives as safety; protection of the organization; protection of assets and employee jobs; avoidance of civil liability; and breach of regulatory requirements.


It should also distinguish mandatory rules from advice.


Procedures should include the process for employee and contractor security orientation as well as formal procedures for authorizing and issuing physical access to buildings, offices, cabinets, filing systems, etc.


In the event that people who have not been part of the facility authorizing process have justifiable reason to be in a secured area, you need to have procedures in place to address visitor relations. These procedures must include requirements for visitor behavior, the procedure for escorting visitors through the building, and visitor records. For example, an electrician could be called in on an emergency and might need access to a secured area. Informal, emergency or formal and regulatory entry into ‘controlled’ areas should be recorded, with reason, time and date. Unauthorized entry, when discovered, should be formally investigated. The organization’s policy statements should also make it abundantly clear that willing employee involvement in a breach of security policy may result in disciplinary action.


When outlining your physical security procedures, consider the type and location of hardware and software equipment/devices used to control physical access. (See Developing a Physical Security Plan later in this Guide).


Make it a mandatory requirement that all personnel report any suspected breach of physical security within a reasonable time period.


Procedures for surrendering access privileges and equipment (keys, swipe card etc.) arising through resignation, suspension, termination or other relevant change must be clear. A checklist placed on each employee/contractor file will provide the audit trail illustrating the compliance effort. 



HIPAA rules and penalties should be emphasized in the introductory paragraphs of the security document, even if it has already been covered in other documentation. Hardcopy, online or other computer media forms of publishing the physical security policy and procedures need only one common feature: communication and education should be equally effective in meeting compliance standards.


Strong advisory note: HIPAA is causing many organizations to transition from a more relaxed security environment. If employees fail to embrace the change, there are three primary problems that will result, (1) employees may give physical access privileges to a new worker before a satisfactory background check has been completed; (2) security policy and procedural documentation may become severely out of date; and (3) employees may take substantial shortcuts on orientation/training and later become vulnerable to employee grievances and/or ‘whistle blowing’. Fundamentally, peace of mind on security will come from sensible, consistent and disciplined management as a natural ‘no-fuss’ component of business management.


Maintenance Suggestions:

Keep a general access authority security log and a matching entry in the personnel file.

This sounds laborious but it doesn’t have to be. Placing some responsibility on employees to report changes will help some small organizations. In larger organizations (where numerous door entry/egress transactions occur), programmable card reading access control systems will, in many instances, offer the ready-to-use logging software. Printouts from these systems are not necessary but can be useful, e.g. when placing a confirmation record on a departing employee’s file after access has been revoked.


Carry out regular audits for compliance.

An un-enforced policy is a discredited policy. If checking out their effectiveness through auditing is lengthy and tedious, the possibilities are that (1) policies and procedures are unnecessarily complicated and/or (2) solutions have not been adequately addressed. We recommend that the audit results be shared with as many employees as possible so that those who can best influence good performance are encouraged to maintain or raise the standards. This process also becomes part of your history, showing the effort to maintain compliance.


Actively seek help from and respond positively to staff in order to anticipate access control security needs.

Employees are the eyes and ears of the organization and sometimes have worthwhile ideas, offering (in many instances) the first defense against access control problems. Employers often request that their employees ‘challenge’ strangers. Across many differing industries, the great majority of employees are not comfortable doing this. It is imperative that people authorized to have access to secure areas have the confidence to question any stranger entering that area, that is, when that stranger is apparently not observing a known and policy approved protocol.  To maintain access control integrity, strengthen access control by including the topic in regular staff meetings. Equipment malfunction or inadequate performance should always be addressed promptly to prevent breaches; these should not be left for reporting only at occasional meetings.


Host annual security refresher sessions where employees “sign-in.”

If a serious incident (at any pertinent location) should occur that has significant l implications for continued compliance by the organization, a special security awareness review may also prove worthwhile. For example, a neighboring covered entity receives unfavorable publicity concerning an allegation relating to patient healthcare information privacy. Initially the only detail available about this comes from the local media, but it causes some doubt and concern as to your vulnerability. If, as a matter of policy, you have a provision that such reports will lead to a compliance review, it is sensible and reasonable to conduct a refresher session.



Disaster Recovery Planning

(Special Note: This part of the PrivaGuide includes some planning principles that exceed HIPAA expectations. They are included so that you can benefit from learning how compliance measures can be harnessed to support overall business protection, thereby helping you make the most of your time and expenditures.)


Implementation Suggestions:

Consider obtaining a Business Continuity software package for ease and speed of preparation

Business Continuity, Disaster Recovery, and Contingency Planning all mean the same thing. A business continuity plan is usually part of the Emergency Planning documentation for large corporations and government agencies. State Emergency Planning documents can be viewed under general headings via websites. These will give some guidance in constructing such plans. We commonly underestimate the impact to our organization when a neighboring facility suffers a disaster. Don’t remain complacent if your facility is at risk. Below you will find some source information for searching that will also help you to learn more about and decide on the most cost effective method of constructing a security plan.


We recognize that, ultimately, the choice is yours. So, we recommend that you make comparisons, investigate the track records of various products, and seek out the best value based on user friendliness, flexibility, cost, absence of bugs, and non-disaster plan benefits. If you hope to grow in size in the next few years, scalability will also be important.


Consult your Insurance Company about your Business Continuity Plan.

In the near future we will be faced with many changes in business insurance availability, notably the absence of terrorism coverage. Our research indicates that both government and the insurance industries are likely to encourage public and private enterprises to invest in measures that will reduce the financial exposure to loss, thereby enabling insurers and/or the government to provide coverage. Please note that this is an interpretation offered at this particular time. It is not a definite development. Insurance companies, however, are always interested in improving their risk, and some may be able to offer advice on Business Continuity Planning.


Arrange or conduct your own Vulnerability Assessment for your facilities.

Every work location is unique not only in its physical features but in its surrounding environment. Proximity to high crime areas is an obvious example of vulnerability, but there are many more examples that are likely to be missed without a professional vulnerability assessment. In practical terms, the assessment is a walk through of your entire facility, a survey of existing safety and security equipment and service provisions, and a list of priorities for protection. This exercise is also part developing your security plan. Template checklists, digital photography, and (in large facilities) videotaping, will facilitate a better understanding of vulnerability and therefore reduced risk.


The Business Continuity Plan benefits from the assessment by engaging facts instead of assumptions. It is a common weakness of in-house Business Continuity plans that they fail to take account of the probable behavior of other entities during an emergency. For example, a hurricane threat in Florida resulted in several different unconnected organizations (each with a large number of employees) writing a plan to relocate and resume operations in the same hotel. Some of the parties had consulted the hotel but did not recognize the need to let them know how many businesses would be there. Another organization was found to be overly dependent on oil based generator fuel for back up. An investigation showed that in all probability the location would not receive any fuel delivery service following a specified type of disaster.



Create a Business Continuity Team and Build Your Plan

(Note: The descriptive information that follows comes from experience and an established and tested methodology. It is included for guidance only and represents one method of management that, while not mandatory in this form, will help satisfy any regulatory inquiry about your preparedness).


The reasons behind so many businesses failing to recover after a disaster such as a fire, a flood, the Oklahoma City bombing in 1995, the 9/11 terrorist attacks, are primarily found under three headings:


There were no survivors capable of running the organization
There was no current, workable and tested Business Continuity Plan
The organization tried to conduct ‘business as usual’ instead of concentrating on survival

You must consider HIPAA requirements when arranging back-up accommodations and services. Compliance also applies to offsite storage of hardcopy PHI files and PHI electronic data in the normal course of business. Physical access controls may therefore extend to rules applicable to contracted storage, leased, or non-operational sites used by the organization.


The current, workable and tested plan is derived from a very tough thinking process. The obstacles to this include failure to attend planning meetings, lack of cooperation between managers and their departments, possessive self-interest and lack of recognition of the need to protect the organization as a whole, which planning and testing provides. In conditions where regulatory standards are imposed, the inability of the regulated party to comply due to internal inefficiencies is unlikely to be a viable defense to non-compliance.


In the event of a disaster affecting the organization, a Crisis Management Team, already identified within the planning process, will direct the organization through the emergency. Some key players in this role may surprise some business managers – the Chief Finance Officer, Legal Adviser, Public Relations Executive – these are typically Crisis Management Team members in a large corporation.


For much smaller organizations, this lineup demonstrates the significance of having and protecting certain expertise – financial to keep cash flow alive, meet payroll etc.; legal leadership to pursue entitlements, protect contractual and liability interests; and PR to maintain a responsible dialog, offer confidence to creditors employees and investors, and to avoid adverse publicity.      




Develop Alliances for Disasters


Sharing connections and resources is one way to keep cost down. You may need a guard for your premises if it is unavailable for normal work but accessible to others. If you don’t have a website, consider setting up an arrangement with a reputable security company for guarding and for website communications during such emergencies. For a small fee, you could arrange for incoming telephone calls to be directed to both a message center and a website where status and contact advice information is offered.










Maintenance Suggestions:

Operate an automatic update system for changes of critical contact data

Emergency service communications other than 911, key staff telephone numbers including cell phones, critical service and product suppliers, legal advisers etc. should be listed in different locations including the homes of executives of the organization so that the plan can be brought into operation even when the main facilities are inaccessible. A telephone tree and calling plan should be included with each listing. All involved functionaries should be asked to ensure that lists of numbers are current by taking responsibility for checking and updating numbers.


Post the Plan and Employee instructions on a Website

It may prove very important to deter visitors and even some employees to your facility, especially if damage has exposed PHI material and you have yet to commence the clean up.  Through ID and password protection, the contingency arrangements for an emergency rendering the normal workplace unusable, or for some other crisis affecting access, may be drawn upon to post information publicly on the site. The three website components using the plan therefore will be (1) the protected copy of the plan for authorized executives; (2) protected information accessible by all employees but not the public; and (3) public information to answer FAQs and re-direct communications.


Maintain Contemporary Knowledge of Threats and adapt accordingly

Sharing knowledge with peer groups and helpful associates, including the PrivaPlan subscribers, is a healthy way to anticipate and plan successfully for changes affecting your vulnerability. It is also one of the best ways to find good value products, services and solutions. Both permanent and temporary access control devices, hardware and software, are constantly evolving in the marketplace, with improvements in cost and performance for the buyer. The choice of both product and access control methodologies is enormous and sometimes confusing. A prior user or a security consultant will usually offer the most reliable advice as to the suitability and reliability of a particular product for your environment and culture. Although many vendors give good service, it is questionable as to whether they can control their natural sales bias in your favor.


Review the Plan annually and more often when required

Earlier advice about refresher training on policy and procedure applies. Good software templates will invariably trigger reminders on updating and testing, but the organization should be prepared at short notice to convene a special review in anticipation of a potential emergency, e.g. approaching forest fire, hurricane, disease epidemic.


Your staff should be trained and The Plan should be tested

To prevent a disaster becoming a catastrophe, it will be crucial for staff to be able to work virtually unsupervised in support of the business survival and continuity goal, while key executives operate and are focused as a crisis management team with minimum distraction. To this end, desktop scenarios should be used to rehearse variable demands arising from a serious event. This training and the names of those receiving it (in full) should be documented for the record. Employee training will underpin the organization’s ability to comply with regulatory expectations on access while operating in emergency mode.




Access Controls – Operating in ‘Emergency Mode’


Implementation Suggestions:

The Business Continuity plan should produce a set of employee instructions for access controls in temporary emergency conditions

Procedures for handling the privacy compliance requirements may easily be lost on employees who find themselves both fatigued and struggling to cope with imperfect accommodation and working conditions. Contingency planning should be designed to account for this, with emergency arrangements to be fixed including temporary rental or purchase of lockers, padlocks, computers, lockable vehicles for secure transit of records. An ideal location for temporarily housing protected health information (PHI) is a previously known facility with round the clock guard protection, security technology access control, and surveillance systems.



Maintenance Suggestions:

Set up a regular calendar review of availability of emergency resources

It is dangerous to assume that all of the resources identified as essential for your Business Continuity plan will still be there in the originally agreed form and at same the budget cost when an emergency develops. The nature of the emergency may affect many others and demand may exceed supply, a common feature of natural disasters around the world.  The accommodation, storage, guards, locks, containers, computers etc. cannot be guaranteed in most circumstances without a significant security deposit. It may be necessary to purchase the most essential materials and store them off-site. At least one person should be appointed to the role of ‘quartermaster’ to maintain an inventory and availability monitoring watch.


Try to keep this in context

There will be some organizations that are more accustomed than most to emergency preparation. Others will find it difficult to understand why a new regulatory regimen has such an impact. Emergency planning incurs extra expense when you can always ignore the risk and take your chances.  The smaller the organization, the simpler the focus and the less detailed the plan. The objective is to protect PHI against improper disclosure whatever the operating circumstances, and thereby avoid a justifiable complaint and consequential penalty. Unfortunately, perception is all-important and a lax plan may leave you vulnerable to allegations. In a healthcare setting we would hope that the advice that “prevention is cheaper than cure” will be readily understood.



Hardware and Software Transfers, and Document Destruction


Implementation Suggestions:

Include rules on the movement of computer hardware, hardcopy PHI and software in the Security Policies and Procedures document

Employees, visitors and contractor employees may easily overlook the implications of moving computer hardware and software into and out of a secure area. Each represents a potential vehicle for the physical transit and transfer of PHI and as such may take this out of the managed areas. Equipment, hardcopy data, and software brought into a controlled facility become part of the inventory (even if brought in temporarily) and therefore accountability for access becomes an issue. It is necessary to record the movement of any kind of information (whether it is PHI or not) to and from a secured area area. The record should show:


(1)   A unique identifying description of the processor, software or hardcopy data.

(2)   The name/function of the user prior to moving the item, and the last date used.

(3)   A summary of the type of information held within the processor/software media/hardcopy.

(4)   Name/function/location of the intended recipient/user and the date of delivery.

(5)   The reason for transfer.

(6)   Signature and identity of the person authorizing transfer and executing it (if different).


Laptop computers present special risks in this respect but the constant movement of such equipment by trusted and qualified employees should not have to be incessantly recorded provided that other measures and disciplines are actively applied such as ID/password protection, and encryption software, together with protocols that impose accountability on the user and are securely recorded. Biometric access for laptops is recommended. Regrettably there is a voracious market appetite for stolen laptop computers throughout the United States and this is an area of extreme vulnerability both in the sense of intrinsic loss and of exposure to HIPAA liability.


Incorporate the foregoing with document and data equipment/media destruction policy and practice, stating clearly the daily and other routines to be followed and publish it in the security policy and procedures documentation. Office based shredding equipment can be augmented where necessary for bulk and specialist (non paper media) destruction. It is advisable to physically inspect all such operations for compliance before contracting with anyone to modify your equipment. This is another important feature of orientation and refresher training and awareness, and of internal audit for compliance.



Maintenance Suggestions:

A permanent log in hardcopy or electronic format should be maintained and made available for audit

The disposal of old hardware and software media, repair offsite and other reasons for moving the items described create a potential for breaching HIPAA regulations by reducing access management and increasing the risk of access by unauthorized people. A log is intended to counter that through employee accountability.


Reputable organizations engaged in the business of secure destruction of computer processing and software, and of sensitive paper based data, should be consulted to establish an internal published policy for disposal of unwanted but regulated copies of information media.



The Physical Security Plan


Implementation Suggestions:

Special note: Buildings facilities and circumstances vary greatly and therefore this guidance should be read with appreciation of its generality.

This is a refinement of the controlled division of space accessibility divided between public and private areas in many facilities.

The fundamental approach to drawing up your controlled space plan involves the following:


(1)   Obtain and copy a current architectural/engineering drawing of the facility that clearly identifies the structural division of workspaces, public and private areas, including all occupied levels, exterior and interior access points, and emergency/fire exits.


(2)   If a professional drawing is not available, have a rough sketch prepared as close to scale as possible marking out all of the same locations/components as listed in item (1) above.


(3)   Walk through the facility. Decide upon the most practical method and location for limiting movement and areas of containment of PHI in the context of routine storage and access to computers, monitor screens and hardcopy data subject to protective regulation. Identify the measures and resources that you already have in place and can continue to use effectively to support your controls.


(4)   In particular, delineate the line(s) dividing public access from private controlled access.


(5)   Develop your plan, modifications to be devised accordingly, so that there is a physical barrier (usually a lockable full door). The purpose of the barrier is to force any member of the public, a contract employee or other person lacking authorization, to ‘negotiate’ before entering the private and controlled areas of the facility, which should be identifiable with good signage.



Find a good locksmith and develop a business relationship
Don’t panic, there are many options available to make your locking arrangements convenient. Take time and obtain help to consider how you can operate a security locking system that works for you – not one that imposes more work on you. Also, choose products that are versatile and cost effective when locks need replacement due to key control concerns.


(6)   Identify and note the internal locking locations and requirements that will enable you to efficiently manage your professional services while complying with HIPAA regulations on physical access.


(7)   Aim where possible to allow visitors (once they have been authorized through visitor protocols) to gain access to internal consulting rooms and offices without passing through controlled areas where PHI may be viewed or accessed. Whereas escort protocols will apply to many, the presence (for example) of repair and janitorial workers in all parts of the facility will demand additional precautions while they work unsupervised.


(8)   In the case of facilities that are contained within or physically connected to premises occupied by an unrelated entity, and in particular where fire escape routes, stairwells etc. are shared, care must be taken within the plan to ensure that internal controls are not undermined through improper use of thoroughfares. Examples of exposure in this regard would be propping doors to increase airflow through an office, leaving a fire door insecure during or after a smoke break, and simple ‘tailgating’ – slipping in behind someone, perhaps to shortcut access. This can also defeat electronic access control system disciplines (swipe cards, numeric keypads, proximity card readers and biometric readers). Fire doors and doors representing this kind of exposure can be fitted with audible alarms to counter access and egress abuse.


(9)   Depending upon hours of operation and several other material risk factors, it may be necessary to install a monitored intruder alarm system to offer protection for those hours when the facility is unoccupied. In any case, locking mechanisms and access control applicable to street or other facility entry points must be of a high standard. Windows as well as doors must be assessed in this process. Whereas burglary is a threat to be considered and vandalism alone can create expensive problems, internal controls for securing HIPAA regulated PHI are likely to be the main focus of concern if a burglary does occur. If sloppy treatment is applied to overnight or weekend security of PHI, with computers remaining operable, diskettes and CD media and hardcopy files left on desks or in unlocked drawers, regardless of the fact that forced intrusion was involved, a HIPAA complaint may prove more than valid.


(10) Once your internal planning based upon the drawings has been developed into a manageable philosophy for physical access control, and preferably when all equipment to facilitate control has been installed, a final copy drawing and set of instructions should be published for inclusion in the security and employee orientation document covered at the start of this PrivaGuide. It should then be incorporated into the scheduled security audit record system for itemized checking, verification and remediation as necessary.


(11) Your plan is worthless if it is not communicated and acknowledged as understood by all who work in the facility. Keep your knowledge current.


(12) Depending upon the occupied space, number of employees, traffic flow and layout complexity, it may prove advantageous to employ a consultant for this planning process. PrivaPlan welcomes inquiries from organizations needing assistance, and a low cost (remote guidance) option for planning and procurement advice is available.


(13) The introduction of security devices other than locks, electronic access readers, and intruder alarms, may (for the more complex facility) prove to be a good investment over time. The vulnerability assessment will help to determine what is worthwhile. Generally consideration of CCTV monitoring comes from the need to view several areas simultaneously without having to physically visit or patrol the facility. Increasingly, organizations are finding positive management value and non-security benefits from camera systems, and sometimes these are used in conjunction with office telephone intercom systems.


Biometric Access Identification Systems

Biometric identification systems (unique human physiological features, such as fingerprint, palm geography, eye retina, and voice) are potentially the most accurate validation methods for granting access to a particular building, office, garage etc. The same biometric may be used across a wide range of access control needs, including vehicle ignition, computer processor and electronic file access. It is this ultimate versatility that we suggest will attract more users to biometrics; but a cautionary note is due here – several systems now on the market are experiencing teething difficulties. They are suited to security sensitive locations where there is fairly large-scale transactional activity; and they will be coming down in price as they improve over the next several years.



Maintenance Suggestions: Your audit schedule and audit documentation is the best discipline to serve your organization

Under this and later sections of this PrivaGuide the ability to rely upon employees to report, and the preparedness of your organization to receive and act promptly on any reports of security malfunction is key to maintaining protection. The audit program, however, is an essential tool and should be used as the principal executive and remedial defense to any breakdown in the program as well as the means to prove vigilant and responsible observation of HIPAA regulation. 



Refinement of Physical Access Protocols


Implementation Suggestions: The formula for physical security as described in the foregoing sections emphasizes the need for documentation and the following refinements are essential to meet compliance.


(1)   A formal policy and procedure together with instructions to validate access authorization must be known and observed by all relevant personnel. The process involves (a) a validation system that identifies and justifies the specific profile of the physical access being granted; (b) communication to and acknowledgement by any person being granted access of the rules; and (c) an accurate audit record of authorization, date of approval, changes, and ultimate withdrawal. The record should be held in a secure location and a back-up copy should be stored offsite.

(2)   If physical alterations repairs or functional changes affect the layout and the accessibility factors to or within the facility, an accurate record should be made reflecting this, together with amendments to security documentation and prompt communication of procedural changes to all affected personnel.  While repair or construction trades people are present in the facility, they should be observing security policy and practice as required at the outset by the regulated management party.

(3)   Visitor/guest access to areas that are subject to regulatory control must be recorded through sign in and authorization protocol. Although receptionists/secretarial staff may in some locations be the first to greet a visitor, this is the responsibility of the person authorized to escort the visitor/guest, showing time of entry and time of departure. This can be managed through a variety of options, including such commercial products as self-expiring visitor badge systems. Well-placed and clearly readable signage in public areas and on the approaches to controlled areas is recommended as a reminder to visitors that there are restricted areas effectively governed by law. Such signage should be devised with words that are in keeping with the culture of service offered by the organization and therefore standard pre-printed notices off the shelf may not be suitable.


Summary comment on the checklist template

Some practical points and reminders to include in your assessment (and audit) documentation are:


o    Description of main entry door locks.

o    Are the locks changed after employees are terminated? How do you know?

o    Is there a complete list by name of key holders (including business associates and contractors such as janitors, or the landlord)?

o    Identify/describe security systems and monitoring service company, and list by name the people who have access codes.

o    Document for policy review the frequency of changes to the security system pass codes; e.g. if you have a specific policy of changing these codes, for example every 90 days or whenever an employee leaves.

o    Ask basic questions, e.g. are medical records (charts) maintained in a separate room? Is this room locked? Are medical records maintained in a locking file cabinet?

o    Remember the importance of physical barriers for unauthorized access. For example is there a door between the waiting room and the rest of the office? Is this door locked?

o    Do you use signage to indicate “Authorized access”?

o    Are fax machines and computer terminals kept distant or turned away from patients and/or repair people?

o    Are repair personnel accompanied and monitored when they are on the premises?

o    Do you use door chart holders that are opaque, or do you turn the chart around so there are no identifying indicators to passers-by?

o    Is it a practice of the physician or nursing staff to do dictation in the hall or in other areas where patients might be present?

o    Is your paper waste shredded? How, by whom, when and how can you be certain?

o    Does your paper waste get discarded at the end of the day? If so, does it get discarded into locked trash dumpsters?

o    Do you store old charts or records in a separate room? Does this room have a lock?

o    Are billing records kept in secured areas? For example are payment remittances and superbills kept in a locked cabinet or a locked office?

o    Has the staff been trained to lock rooms and cabinets at night?

o    Are cleaners given any locking responsibility? Will this be appropriate in a HIPAA regulated environment?

o    Does the physician maintain charts, lab results and so forth in his/her office at night? Does his office have a lock? Who has keys to this office?

o    Are charts removed from the office for any reason? When they are removed are they placed and kept in any kind of locked container?



About the Author:


David Forbes


David Forbes has over 30 years experience in law enforcement, commercial and industrial security-related risk management, and service sector business management. A former head of Thames Valley Police Fraud Squad, trained at New Scotland Yard he was raised and educated to university postgraduate level in England, and is the Co-Founder, past Chairman and current member of the Loughborough University Security Forum. He is also a member of the American Society for Industrial Security, the National Cargo Security Council, The National Legislative Services and Security Association and the Colorado Crime Prevention Association.

As global head of security for a major logistics organization, prior to becoming an independent consultant in 1993 he was responsible for the selection, training and leadership of a regional security management team covering 140 countries. His expertise includes the design and implementation of security programs that successfully combine manpower technology and business goal delivery. He has directed and supervised the introduction of security systems for corporate offices, computer suites, aviation facilities and logistics warehouses in several countries.

His numerous and varied executive consultant projects include advising government departments and private corporations on the successful and cost effective application of security principles incorporating technology within culturally supportive programs.                       


Media interviews have led to articles about his work being published in magazines and newspapers as far apart as the United Kingdom, Australia, Singapore and the United States. Television and radio entities featuring interviews with David Forbes include the BBC, CNN, FoxNews International, NBC, MSNBC, Channel 9News Denver, CBS Channel 4 Denver, Fox Channel 31 Denver, WB2 News Denver, Radio KHOW Denver, Radio Colorado (Sept 11 special, and Sept 17 Winning on Wall Street) Radio KYGO Denver, Radio KMOX St. Louis, Radio KSON San Diego and Radio KTSA San Antonio. News journalists, particularly from the Denver Post, the Denver Business Journal and the Rocky Mountain News as well as local TV stations continue to call upon him for comment, virtually on a weekly basis.

Mr. Forbes can be contacted at Quo Vadis International, PO Box 800 Fort Lupton, CO 80621 telephone 303 857 8200 Email:

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates