10. Facility Access Policy
W2H works with Subcontractors to assure restriction of physical access to systems used as part of the W2H Platform. W2H and its Subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which W2H workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of W2H facilities is limited to only those authorized in this policy. In an effort to safeguard ePHi from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to W2H's facility.
Of note, W2H does not physically house any systems used by its Platform in W2H facilities. Physical security of our Platform servers is outlined in ยง1.1 - W2H Organizational Concepts.
10.1 Applicable Standards
10.1.1 Applicable Standards from the HITRUST Common Security Framework
- 08.b - Physical Entry Controls
- 08.d - Protecting Against External and Environmental Threats
- 08.j - Equipment Maintenance
- 08.l - Secure Disposal or Re-Use of Equipment
- 09.p - Disposal of Media
10.1.2 Applicable Standards from the HIPAA Security Rule
- 164.310(a)(2)(ii) Facility Security Plan
- 164.310(a)(2)(iii) Access Control & Validation Procedures
- 164.310(b-c) Workstation Use & Security
10.2 W2H-controlled Facility Access Policies
- W2H maintains offices within The University Of Pennsylvania campus. Access to the building is restricted by badge access. Floor access is also badge restricted. W2H inherits security, repair and maintenance, insurance and other requirements from the parent Penn Medicine and University of Pennsylvania organizations.
- Electronic and physical media containing covered information is securely destroyed (or the information securely removed) prior to disposal.
- The organization securely disposes media with sensitive information.
- Physical access is restricted using badges and keys where necessary.
- Restricted areas and facilities are locked when unattended (where feasible).
- Only authorized workforce members receive access to restricted areas.
- Access and keys are revoked upon termination of workforce members.
- Workforce members must report a lost badge immediately to the security to be disabled.
- Enforcement of Facility Access Policies
- Report violations of this policy to the restricted area's department team leader, supervisor, manager, or director, or the Privacy Officer.
- Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from W2H.
- Workstation Security
- Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
- All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
- All workstations purchased by W2H are the property of Penn Medicine or the University of Pennsylvania and are distributed to users by those organizations.