10. Facility Access Policy

The majority of CIRG servers are housed in University of Washington (UW) data centers alongside primary UW Medical Center systems, with access controls provided by UW IT Services (UW IT). CIRG also relies on UW IT for networking, UWNetID Identity Provision, DNS, LDAP / Active Directory, and the Tivoli remote backup system.

Note: some CIRG systems are hosted on HIPAA-compliant cloud-based infrastructures, such as Amazon Web Services and Datica.

CIRG and University of Washington IT Services (UW IT) assure restriction of physical access to systems used as part of CIRG systems. CIRG and UW IT control access to the physical buildings/facilities that house these systems/applications, or in which CIRG workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of facilities used by CIRG is limited to only those authorized in this policy. In an effort to safeguard ePHI from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to UW IT’s facility.

10.1 Applicable Standards

10.1.1 Applicable Standards from the HITRUST Common Security Framework

• 08.b - Physical Entry Controls
• 08.d - Protecting Against External and Environmental Threats
• 08.j - Equipment Maintenance
• 08.l - Secure Disposal or Re-Use of Equipment
• 09.p - Disposal of Media

10.1.2 Applicable Standards from the HIPAA Security Rule

• 164.310(a)(2)(ii) Facility Security Plan
• 164.310(a)(2)(iii) Access Control & Validation Procedures
• 164.310(b-c) Workstation Use & Security

10.2 CIRG and UW-controlled Facility Access Policies

1. Visitor and third party support access is recorded and supervised. All visitors are escorted.
2. Repairs are documented and the documentation is retained.
3. Fire extinguishers and detectors are installed according to applicable laws and regulations.
4. Maintenance is controlled and conducted by authorized personnel in accordance with supplier-recommended intervals, insurance policies and the organizations maintenance program.
5. Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
6. The organization securely disposes media with sensitive information.
7. Physical access is restricted using smart locks that track all access.
   • Restricted areas and facilities are locked and when unattended (where feasible).
   • Only authorized workforce members receive access to restricted areas (as determined by the Security Officer).
   • UW IT data center access requires two-factor authentication.
   • Access and keys are revoked upon termination of workforce members.
   • Workforce members must report a lost and/or stolen key(s) to the Security Officer.
   • The Security Officer facilitates the changing of the lock(s) within 7 days of a key being reported lost/stolen
8. Enforcement of Facility Access Policies
   • Report violations of this policy to the restricted area’s department team leader, supervisor, manager, or director, or the Privacy Officer.
   • Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
   • Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from CIRG.
9. Workstation Security
   • Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
   • All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
   • All workstations purchased by CIRG or the University of Washington are the property of CIRG or the University of Washington and are distributed to users by the company.