PH1 – §164.310(a)(1) Standard Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?

PH2 – §164.310(a)(1) Standard Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.

PH3 – §164.310(a)(1) Standard Do you have policies and procedures for the physical protection of your facilities and equipment? This includes controlling the environment inside the facility.

PH4 – §164.310(a)(1) Standard Do you have physical protections in place to manage physical security risks, such as a) locks on doors and windows and b) cameras in nonpublic areas to monitor all entrances and exits?

PH5 – §164.310(a)(2)(i) Addressable Do you plan and coordinate physical (facilities) and technical (information systems, mobile devices, or workstations) security-related activities (such as testing) before doing such activities to reduce the impact on your practice assets and individuals?

PH6 – §164.310(a)(2)(i) Addressable Have you developed policies and procedures that plan for your workforce (and your information technology service provider or contracted information technology support) to gain access to your facility and its ePHI during a disaster?

PH7 – §164.310(a)(2)(i) Addressable If a disaster happens, does your practice have another way to get into your facility or offsite storage location to get your ePHI?

PH8 – §164.310(a)(2)(ii) Addressable Do you have policies and procedures for the protection of keys, combinations, and similar physical access controls?

PH9 – §164.310(a)(2)(ii) Addressable Do you have policies and procedures governing when to re-key locks or change combinations when, for example, a key is lost, a combination is compromised, or a workforce member is transferred or terminated?

PH10 – §164.310(a)(2)(ii) Addressable Do you have a written facility security plan?

PH11 – §164.310(a)(2)(ii) Addressable Do you take the steps necessary to implement your facility security plan?

PH12 – §164.310(a)(2)(iii) Addressable Do you have a Facility User Access List of workforce members, business associates, and others who are authorized to access your facilities where ePHI and related information systems are located?

PH13 – §164.310(a)(2)(iii) Addressable Do you periodically review and approve a Facility User Access List and authorization privileges, removing from the Access List personnel no longer requiring access?

PH14 – §164.310(a)(2)(iii) Addressable Does your practice have procedures to control and validate someone’s access to your facilities based on that person’s role or job duties?

PH15 – §164.310(a)(2)(iii) Addressable Do you have procedures to create, maintain, and keep a log of who accesses your facilities (including visitors), when the access occurred, and the reason for the access?

PH16 – §164.310(a)(2)(iii) Addressable Has your practice determined whether monitoring equipment is needed to enforce your facility access control policies and procedures? 40
PH17 – §164.310(a)(2)(iv) Addressable Do you have maintenance records that include the history of physical changes, upgrades, and other modifications for your facilities and the rooms where information systems and ePHI are kept?

PH18 – §164.310(a)(2)(iv) Addressable Do you have a process to document the repairs and modifications made to the physical security features that protect the facility, administrative offices, and treatment areas?

PH19 – §164.310(b) Standard Does your practice keep an inventory and a location record of all of its workstation devices?

PH20 – §164.310(b) Standard Has your practice developed and implemented workstation use policies and procedures?

PH21 – §164.310(b) Standard Has your practice documented how staff, employees, workforce members, and non-employees access your workstations?

PH22 – §164.310(c) Standard Does your practice have policies and procedures that describe how to prevent unauthorized access of unattended workstations?

PH23 – §164.310(c) Standard Does your practice have policies and procedures that describe how to position workstations to limit the ability of unauthorized individuals to view ePHI?

PH24 – §164.310(c) Standard Have you put any of your practice’s workstations in public areas?

PH25 – §164.310(c) Standard Does your practice use laptops and tablets as workstations? If so, does your practice have specific policies and procedures to safeguard these workstations?

PH26 – §164.310(c) Standard Does your practice have physical protections in place to secure your workstations?

PH27 – §164.310(c) Standard Do you regularly review your workstations’ locations to see which areas are more vulnerable to unauthorized use, theft, or viewing of the data?

PH28 – §164.310(c) Standard Does your practice have physical protections and other security measures to reduce the chance for inappropriate access of ePHI through workstations? This could include using locked doors, screen barriers, cameras, and guards.

PH29 – §164.310(c) Standard Do your policies and procedures set standards for workstations that are allowed to be used outside of your facility?

PH30 – §164.310(d)(1) Standard Does your practice have security policies and procedures to physically protect and securely store electronic devices and media inside your facility(ies) until they can be securely disposed of or destroyed? 76
PH31 – §164.310(d)(1) Standard Do you remove or destroy ePHI from information technology devices and media prior to disposal of the device?

PH32 – §164.310(d)(1) Standard Do you maintain records of the movement of electronic devices and media inside your facility?

PH33 – §164.310(d)(1) Standard Have you developed and implemented policies and procedures that specify how your practice should dispose of electronic devices and media containing ePHI?

PH34 – §164.310(d)(2)(i) Required Do you require that all ePHI is removed from equipment and media before you remove the equipment or media from your facilities for offsite maintenance or disposal?

PH35 – §164.310(d)(2)(ii) Required Do you have procedures that describe how your practice should remove ePHI from its storage media/ electronic devices before the media is re-used?

PH36 – §164.310(d)(2)(iii) Addressable Does your practice maintain a record of movements of hardware and media and the person responsible for the use and security of the devices or media containing ePHI outside the facility?

PH37 – §164.310(d)(2)(iii) Addressable Do you maintain records of employees removing electronic devices and media from your facility that has or can be used to access ePHI?

PH38 – §164.310(d)(2)(iv) Addressable Does your organization create backup files prior to the movement of equipment or media to ensure that data is available when it is needed?