Does HIPAA require us to keep the server room locked at all times?
No. The HIPAA security rule does not include that much detail. Covered entities (and noncovered entities interested in adhering to sound security practices) may or may not choose to lock the server room door or, in larger organizations, the door to the data center. It is important that you establish proper policies, procedures, and processes to limit server room access to only those who need it. Although HIPAA does not require that you lock server room and data center doors at all times, it is a beneficial security practice. Only work force members with a defined need to access the server room or data center should have key or swipe-card access. Note: Chris Apgar, CISSP, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Related Questions
- Does Project Server 2007 require SharePoint to function fully? In particular, does the Project Web Access Client need SharePoint?
- Do premium AddOns require separate license keys under the Wowza Media Server 3 Perpetual Edition licenses?
- Does HIPAA require us to keep the server room locked at all times?
