Facility Access

10. Facility Access Policy

iDialogs works with Subcontractors to assure restriction of physical access to systems used as part of the iDialogs Platform. iDialogs and its Subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which iDialogs workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of iDialogs facilities is limited to only those authorized in this policy. In an effort to safeguard ePHi from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to iDialogs facilities.

 iDialogs does not physically house any systems used by its Platform in iDialogs facilities. Physical security of our Platform servers is outlined in 10.2.  iDialogs utilizes Amazon Web Services (AWS) in conjunction with a BAA to provide HIPAA/HITRUST compliant services.

10.1 Applicable Standards

10.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 08.b - Physical Entry Controls
  • 08.d - Protecting Against External and Environmental Threats
  • 08.j - Equipment Maintenance
  • 08.l - Secure Disposal or Re-Use of Equipment
  • 09.p - Disposal of Media

10.1.2 Applicable Standards from the HIPAA Security Rule

  • 164.310(a)(2)(ii) Facility Security Plan
  • 164.310(a)(2)(iii) Access Control & Validation Procedures
  • 164.310(b-c) Workstation Use & Security

10.2 iDialogs-controlled Facility Access Policies

  1. Visitor and third party support access is recorded and supervised. All visitors are escorted.
  2. Repairs are documented and the documentation is retained.
  3. Fire extinguishers and detectors are installed according to applicable laws and regulations.
  4. Maintenance is controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organizations maintenance program.
  5. Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
  6. The organization securely disposes media with sensitive information.
  7. Physical access is restricted using smart locks that track all access.
    • Restricted areas and facilities are locked and when unattended (where feasible).
    • Only authorized workforce members receive access to restricted areas (as determined by the Security Officer).
    • Access and keys are revoked upon termination of workforce members.
    • Workforce members must report a lost and/or stolen key(s) to the Security Officer.
    • The Security Officer facilitates the changing of the lock(s) within 7 days of a key being reported lost/stolen
  8. Enforcement of Facility Access Policies
    • Report violations of this policy to the restricted areas department team leader, supervisor, manager, or director, or the Privacy Officer.
    • Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
    • Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from iDialogs.
  9. Workstation Security
    • Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
    • All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
    • All workstations purchased by iDialogs are the property of iDialogs and are distributed to users by the company.

10.3 Documentation Requirements

The iDialogs Organization utilizes Amazon Web Services (AWS, which maintains a HITRUST compliance and inherited by iDialogs via BAA) for storage of all sensitive information including ePHI within their facilities.  AWS, under the HITRUST CSF, maintains the following:

  1. Documentation of Physical Access Authorization for Restricted Areas and Restricted Devices The unit’s HIPAA Security Coordinator, or designees, maintain a record of workforce members and vendors who are authorized to access Restricted Areas. When authorizing physical access, workforce members may be identified by role, by name, or both, as appropriate.
  2. Documentation when Changing the Physical Facilities The Lead Project Coordinator and/or the Facilities/Building Services/Security Manager facilitates documentation throughout the project.
    1. Documentation includes, at a minimum, the following information:
      1. Description of the repair or modification.
      2. Repair or modification start and end dates.
      3. Contact information for the units, contractors or vendors who completed the repair or modification.
      4. Summary of steps taken to reduce any material increase to the security risk(s) to PHI (including those identified before, during, and after the work was completed). At a minimum, this summary includes:
        1. Description of the identified material increase(s) in security risk(s)
        2. A description of what was done to reduce those security risk(s)
        3. If a material increase in security risk was due to a “high” risk determination:
          1. Date the security risk was identified
          2. Dates and times steps were taken to reduce the security risk
          3. Individuals involved in reducing the security risk
    2. Documentation for may be incorporated by reference to project documentation maintained by others such as the project manager or general contractor, provided that the documentation (or a copy of it) is available for the required retention period.
    3. Documentation for for routine or repetitive work that results in a similar material increase in security risk(s) can reference prior documentation for similar work, provided that similar steps are taken to reduce the risk.
    4. No documentation is required for routine or repetitive work where there is a low risk that exposure of PHI would result in an incident requiring notification.
    5. After completion of the project, forward all documentation to the Facilities/Building Services/Security Manager.
  3. The custodians of records or documentation related to the HIPAA security facilities management will ensure that those records or documents are retained for six years from the date of creation or date it was last in effect, whichever is later.