2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.
Facility Access Policy
Fox and Geese works with Subcontractors to ensure restrictions of physical
access to systems used as part of the Fox and Geese Platform. Fox and Geese and
its Subcontractors control access to the physical buildings/facilities that
house these systems/applications, or in which Fox and Geese workforce members
operate, in accordance with HIPAA Security Rule 164.310 and its implementation
specifications. Physical Access to all of Fox and Geese facilities is limited to
only those authorized in this policy. In an effort to safeguard PHI or PII from
unauthorized access, tampering, and theft, access is allowed to areas only to
those persons authorized to be in them and with escorts for unauthorized
persons. All workforce members are responsible for reporting an incident of
unauthorized visitor and/or unauthorized access to Fox and Geese's facility.
Of note, Fox and Geese does not have ready access to PHI or PII, it provides
cloud-based, compliant infrastructure to covered entities and business
associates. Fox and Geese does not physically house any systems used by its
Platform in Fox and Geese facilities. Physical security of our Platform servers
is outlined in Introduction.
Applicable Standards from the HITRUST Common Security Framework
- 08.b - Physical Entry Controls
- 08.d - Protecting Against External and Environmental Threats
- 08.j - Equipment Maintenance
- 08.l - Secure Disposal or Re-Use of Equipment
- 09.p - Disposal of Media
Applicable Standards from the HIPAA Security Rule
- 164.310(a)(2)(ii) Facility Security Plan
- 164.310(a)(2)(iii) Access Control & Validation Procedures
- 164.310(b-c) Workstation Use & Security
Fox and Geese-controlled Facility Access Policies
- Visitor and third party support access is recorded and supervised. All
visitors are escorted.
- Repairs are documented and the documentation is retained.
- Fire extinguishers and detectors are installed according to applicable laws
- Maintenance is controlled and conducted by authorized personnel in accordance
with supplier-recommended intervals, insurance policies and the
organization's maintenance program.
- Electronic and physical media containing covered information is securely
destroyed (or the information securely removed) prior to disposal.
- The organization securely disposes media with sensitive information.
- Physical access is restricted using smart locks that track all access.
- Restricted areas and facilities are locked when unattended (where
- Only authorized workforce members receive access to restricted areas (as
determined by the Security Officer).
- Access and keys are revoked upon termination of workforce members.
- Workforce members must report a lost and/or stolen key(s) to the Security
- The Security Officer facilitates the changing of the lock(s) within 7 days
of a key being reported lost/stolen
- Enforcement of Facility Access Policies
- Report violations of this policy to the restricted area's department team
leader, supervisor, manager, or director, or the Privacy Officer.
- Workforce members in violation of this policy are subject to disciplinary
action, up to and including termination.
- Visitors in violation of this policy are subject to loss of vendor
privileges and/or termination of services from Fox and Geese.
- Workstation Security
- Workstations may only be accessed and utilized by authorized workforce
members to complete assigned job/contract responsibilities.
- All workforce members are required to monitor workstations and report
unauthorized users and/or unauthorized attempts to access
systems/applications as per the System Access Policy.
- All workstations purchased by Fox and Geese are the property of Fox and
Geese and are distributed to users by the company.