HIPAA PP-1.2: Facility Access Controls & Security Plan Requirements
Facility access controls are foundational to HIPAA compliance, protecting both physical infrastructure and the sensitive data it contains. PP-1.2 requires organizations to implement comprehensive policies and procedures that prevent unauthorized personnel from entering restricted areas, tampering with equipment, or stealing assets. Without proper facility security measures, even the strongest technical controls can be compromised.
What this means
PP-1.2 requires you to establish and maintain a formal Facility Security Plan that addresses physical security risks to your healthcare facility and equipment. This means documenting policies for controlling entry to restricted areas (server rooms, file storage, workstations), monitoring facility access, and protecting against environmental threats like fire or water damage. The control applies to all locations where you store, process, or transmit Protected Health Information (PHI), whether that's your main office, data centers, or remote work sites.
How to comply
- 1.Develop and document a Facility Security Plan that identifies all areas containing PHI or supporting systems
- 2.Define access levels and designate which personnel can access restricted areas; implement role-based access controls
- 3.Install and maintain physical security measures such as locks, badges, surveillance cameras, and alarm systems
- 4.Establish sign-in/sign-out procedures or electronic access logs for visitors and contractors entering sensitive areas
- 5.Conduct regular facility security assessments to identify vulnerabilities in physical access points
- 6.Train employees on facility access policies and the importance of preventing unauthorized entry
- 7.Monitor access logs regularly and investigate any unauthorized access attempts or anomalies
- 8.Implement environmental controls to protect equipment from damage (temperature monitoring, fire suppression, water management)
Evidence auditors look for
- Facility Security Plan document with access control policies and procedures
- Physical security inventory (cameras, locks, badge readers, alarms with maintenance records)
- Access control logs or badge reader audit trails showing entry/exit records
- Visitor sign-in sheets or electronic visitor management system records
- Security assessment reports documenting facility vulnerabilities and remediation efforts
- Employee training records on facility access policies and security procedures
- Access review logs showing periodic verification that access rights remain appropriate
- Incident reports documenting any unauthorized access attempts or physical security breaches
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates facility access control documentation and monitoring by centralizing your security policies, visitor logs, and access audit trails in one platform—eliminating manual spreadsheets and making evidence collection for audits instantaneous.
See how GRCWatch handles this control automatically
Start free trial