Versions Compared

Version Old Version 1 New Version 2
Changes made by

Eric Zematis

Eric Zematis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • HIPAA Security Rule - Physical Safeguards

    The HIPAA Security Rule establishes safeguards to protect electronic protected health information (ePHI). Within that, the Physical Safeguards specifically address physical access to ePHI and the facilities where it's stored.  

  • 28 CFR Part 22 - Confidentiality of Identifiable Research and Statistical Information
    The Electronic Code of Federal Regulations (eCFR) Title 28, Part 22, pertains to the confidentiality and proper use of identifiable research and statistical information.

Implementation

  1. Secure Research Facilities (SRF) need to be secured with a an electronic lock and access restricted to only the individuals who need to have access to the facility including:

    1. Approved researchers

    2. Lehigh University Police

    3. Other individuals who need access including cleaning staff will need to provided access and monitored by those with approved access.

  2. Secure Research Facilities are intended to limit access to authorized individuals and should not to be shared. The space and all equipment will be dedicated solely for its research purposeIf the physical space must be shared it should only be for other research requiring a similar level of security and there must be other physical and/or logical controls in place to restrict access. For example, using separate computers inside of a SRF for each research project.

  3. Audit logs of all access need to be logged.

    1. Electronic Access Control (Preferred) - SRF should be secured with electronic access and logs will be sent to Information Security office for audit purposes monthly.

    2. Physical Key - Physical keys should only be used for emergency access to a SRF. If a physical key is used then access needs to manually recorded in access log upon entry and exit. The log needs to be immediately available upon entry and copies of the logs need to be sent to Information Security for audit purposes monthly.

  4. Information Security will maintain a list of authorized users and audit access logs.

  5. Maintenance Access - If maintenance or housekeeping access is required it must be conducted in the presence of personnel with authorized access to the space.

Definitions

 Secure Research Facilities - Phyical Physical space were research involving sensitive data (e.g. CUI, PHI/ePHI) that requires must be conducted.

Revision History

Code Block

Date

Version

Description

Approval

1.0

Original Document

Draft

1.01

Revisions

Draft