Skip to content

Latest commit

 

History

History
33 lines (25 loc) · 2.98 KB

facility_access_policy.md

File metadata and controls

33 lines (25 loc) · 2.98 KB
Raw

Facility Access Policy

BloomAPI works with Subcontractors to assure restriction of physical access to systems used as part of the BloomAPI Platform. BloomAPI and its Subcontractors control access to the physical buildings/facilities that house these systems/applications, or in which BloomAPI workforce members operate, in accordance to the HIPAA Security Rule 164.310 and its implementation specifications. Physical Access to all of BloomAPI facilities is limited to only those authorized in this policy. In an effort to safeguard ePHi from unauthorized access, tampering, and theft, access is allowed to areas only to those persons authorized to be in them and with escorts for unauthorized persons. All workforce members are responsible for reporting an incident of unauthorized visitor and/or unauthorized access to BloomAPI's facility.

BloomAPI does not store any confidential information in BloomAPI facilities, nor does BloomAPI house any systems that serve confidential information in BloomAPI facilities. ePHI and confidential data is exclusively stored on secured servers and databases hosted within Google Cloud Platform, which is secured according to their access control policies here. These include live video monitoring, human security patrols, rigorous access control, etc.

Applicable Standards from the HITRUST Common Security Framework

  • 08.b - Physical Entry Controls
  • 08.d - Protecting Against External and Environmental Threats
  • 08.j - Equipment Maintenance
  • 08.l - Secure Disposal or Re-Use of Equipment
  • 09.p - Disposal of Media

Applicable Standards from the HIPAA Security Rule

  • 164.310(a)(2)(ii) Facility Security Plan
  • 164.310(a)(2)(iii) Access Control & Validation Procedures
  • 164.310(b-c) Workstation Use & Security

BloomAPI-controlled Facility Access Policies

  1. Visitor and third party support access is recorded and supervised. All visitors are escorted.
  2. Storage of confidential information and ePHI on removable media in BloomAPI facilities is prohibited.
  3. Fire extinguishers and detectors are installed according to applicable laws and regulations.
  4. Enforcement of Facility Access Policies
  • Report violations of this policy to the restricted area's department team leader, supervisor, manager, or director, or the Privacy Officer.
    • Workforce members in violation of this policy are subject to disciplinary action, up to and including termination.
    • Visitors in violation of this policy are subject to loss of vendor privileges and/or termination of services from BloomAPI.
  1. Workstation Security
    • Workstations may only be accessed and utilized by authorized workforce members to complete assigned job/contract responsibilities.
    • All workforce members are required to monitor workstations and report unauthorized users and/or unauthorized attempts to access systems/applications as per the System Access Policy.
    • All workstations purchased by BloomAPI are the property of BloomAPI and are distributed to users by the company.