Let us have a look into the HIPAA Administrative Simplification Security Rule. In this context, we will discuss here the implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable which means that a covered entity must use reasonable and appropriate measures to meet the standard. It may be mentioned here that business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.

In order to comply with this security rule, the concerned associates and entities should start with implementing policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

It is the duty of the Security Official to ensure that this implementation specification is in place. So, the Security Official should create and maintain a log and a description of repairs or modifications made to the covered entity’s physical security components. The actions taken in this regard should be documented in writing in the log. It is required by the Security Rule that log be maintained for a period of six years after completion of each maintenance action regarding physical security. The log may be maintained in electronic format, but the log retention time requires that electronic logs be routinely backed up.