OSHA: Does OSHA require annual fire drills?
No. However, annual fire drills are strongly suggested. OSHA’s Evacuation Plans and Procedures eTool, 1910.38(f), employers must review the emergency action plan with each employee covered by the plan:
When the plan is developed or the employee is assigned initially to a job;
When the employee’s responsibility under the plan changes; and
When the plan changes. Keep in mind, employees are more likely to forget the plan if reviews are infrequent.
HIPAA: Do we really need to place property control tags or engraving on equipment?
This is an addressable specification under the rule 164.310(a)(2)(ii) which means the covered entity has flexibility about the choice(s) made. However, the decision must be documented in writing.
Centers for Medicare & Medicaid Services (CMS) noted the following in their security series about physical safeguards:
Facility security plans must document physical access controls. These controls must ensure that only authorized individuals have access to facilities and equipment that contain ePHI. In general, physical access controls allow individuals with legitimate business needs to obtain access to the facility and deny access to those without legitimate business needs. Procedures must also be used to prevent tampering and theft of ePHI and related equipment.
Based upon the above statement, CMS suggests using these common controls:
Locked doors, signs warning of restricted areas, surveillance cameras, alarms
Property controls such as property control tags, engraving on equipment
Personal controls like ID badges, visitor badges and/or escort for large offices
Private security or patrolling
TMC’s risk analysis aligns closely with the guidance from CMS which has helped clients meet meaningful use. Be sure that you have addressed the required and addressable issues appropriately when a risk analysis is complete.