Workflow

Adding Clinic Number Two: What Changes in EMR Access and Risk

When a practice opens its second location, the EMR usually just works. Same tenant, same login, new address in the header. That smoothness is exactly the problem: the software scaled effortlessly and your obligations did not. You now run one information system across two facilities, and the Security Rule cares about both nouns. The technical safeguards mostly came along for free. The physical and administrative ones did not replicate themselves, and nobody gets a notification about it.

One system, two facilities

Hold this distinction and most of the confusion resolves.

Your EMR is one system. Adding a site adds users, locations, and schedules to it, and its technical safeguards at 45 CFR 164.312 — access control, audit controls, authentication, transmission security — largely extend automatically. Nothing about a second location weakens your encryption.

Your organization now occupies two buildings. The physical safeguards at 45 CFR 164.310 are written against facilities and workstations, not against tenants. There is no configuration setting that locks a door in a building forty minutes away.

Almost every second-site compliance gap lives in that gap: the technical layer scaled, the physical layer did not, and because the software felt complete, nobody went looking.

The regulation says “facilities,” plural

This is not an inference. 45 CFR 164.310(a)(1):

Standard: Facility access controls. “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

The plural is in the text of the rule. The drafters anticipated multi-site entities, and the standard reaches each facility.

HHS is equally direct on the analysis side. Its risk analysis guidance states that “[e]lectronic media includes a single workstation as well as complex networks connected between multiple locations,” and that an organization's risk analysis “should take into account all of its e-PHI, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its e-PHI.”

So the regulatory position on multi-site scope is settled and has been for years. Every location holding ePHI is in scope. The only open questions are operational.

What happens to your risk analysis scope

The requirement at 164.308(a)(1)(ii)(A) is an accurate and thorough assessment of risks to ePHI held by the covered entity or business associate. Your organization did not become two organizations when it signed a second lease. It became one organization holding ePHI in two places.

People ask whether that means one risk analysis or two. The rule does not count documents. It defines a scope and requires the scope to be covered. One analysis covering two facilities is fine. Two analyses are fine. What is not fine is a scope with a building missing from it, which is the common outcome when site two opens between assessment cycles and quietly waits eleven months to be noticed.

The elements HHS lists all have to reach the new site. Data collection — an organization must identify where the ePHI is stored, received, maintained, or transmitted, and site two is a new answer to that question. Assess current security measures — and the measures at site two are not necessarily the measures at site one, because it is a different building with a different floor plan, possibly a different landlord, and different doors.

That last point is the one worth internalizing: you cannot copy site one's physical findings to site two. The analysis is about a specific environment. A second building is a second environment.

Access management is where it actually goes wrong

If you fix one thing from this article, fix this. The second-site rollout is the single most reliable generator of access sprawl in a growing practice, and the mechanism is always the same.

Opening a location means people work across both for a while. The front-desk lead covers site two on Tuesdays. An MA floats for six weeks. A biller helps with go-live. Each gets access to both sites, entirely appropriately, for that period. Then the period ends and the access does not.

Two provisions bear on this:

  • 164.308(a)(4)(ii)(C), Access establishment and modification (Addressable) — implement policies and procedures that, based upon your access authorization policies, “establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.” Most organizations do establish and document well. Review and modify are where it lapses, and they are in the same sentence.
  • 164.308(a)(3)(ii)(A), Authorization and/or supervision (Addressable) — procedures for the authorization and supervision of workforce members who work with ePHI “or in locations where it might be accessed.”

Read that second one again, because it is doing something specific. The rule is not only about who has a role. It is about where people are. It is a location-aware requirement, which is precisely the thing a single-site practice never had to think about and a two-site practice suddenly does.

The practical consequence: temporary cross-site access needs an end date at the moment it is granted, not a review at some later point when nobody remembers why the biller can see both schedules. And it compounds — by site four, if nothing was ever revoked, everyone has everything, and your access model is decorative.

Two other things break quietly here. 164.312(a)(2)(i), Unique user identification, is Required — and a new site under launch pressure is where shared logins get invented, usually for the front desk, usually as a temporary measure. And 164.308(a)(1)(ii)(D), Information system activity review, is Required — regular review of records of system activity such as audit logs and access reports. When you add a site you roughly double the log volume, and a review process sized for one clinic silently becomes a review process covering half your activity. Both of those are Required specifications, not addressable ones.

The physical work does not replicate itself

Everything at 164.310 has to be done again, on site, at the new building. There is no remote version of this.

ProvisionWhat site two needs
164.310(a)(1) Facility access controlsPhysical access limited at the new building, authorized access still allowed
164.310(a)(2)(ii) Facility security plan (Addressable)Its own plan — safeguarding the facility and equipment from unauthorized access, tampering, and theft
164.310(a)(2)(iii) Access control and validation (Addressable)Role-based access to the facility, including visitor control
164.310(a)(2)(iv) Maintenance records (Addressable)Repairs and modifications to security-related components — the rule's own examples are “hardware, walls, doors, and locks”
164.310(b) Workstation useThe physical attributes of the surroundings at the new site's workstations
164.310(c) Workstation securityPhysical safeguards for every workstation there
164.310(d) Device and media controlsReceipt and removal of hardware and media, Disposal and Media re-use both Required

Notice how much of that list is about a physical place: walls, doors, locks, visitors, where a screen faces. A remote questionnaire filled in by someone at site one cannot answer any of it about site two. Somebody has to be in the building. That is not a philosophical claim — it is what “the physical attributes of the surroundings” and “walls, doors, and locks” mean.

Also worth noting: the new site's landlord, cleaning crew, and after-hours access arrangements are probably different from site one's. Visitor control at 164.310(a)(2)(iii) is not the same problem in a shared medical office building as in a standalone clinic.

Contingency planning gets more interesting

164.308(a)(7) is the contingency plan standard, and three of its five specifications are Required: data backup plan, disaster recovery plan, and emergency mode operation plan.

Two sites change the shape of these questions in ways worth thinking through deliberately. If site two loses connectivity, can it operate? If site one's network closet floods, does site two keep seeing patients? Does your emergency mode operation plan assume a building that no longer represents the whole organization?

There is an upside here that is easy to miss: a second location is a genuine resilience asset if you plan for it. Site one's outage does not have to stop the organization. But that only holds if someone wrote it down. 164.310(a)(2)(i), Contingency operations, is the physical counterpart — procedures allowing facility access in support of restoring lost data under the disaster recovery and emergency mode operations plans. Two facilities, two sets of doors that might need opening at 3 a.m.

Media starts moving between buildings

Single-site practices rarely think about this. Multi-site practices immediately need to.

164.310(d)(1) governs “the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”

The moment you have two clinics, things travel. A laptop goes with the float provider. A backup drive gets carried between sites. A printer is retired at site one and redeployed at site two — and Media re-use at 164.310(d)(2)(ii) is Required: procedures for removing ePHI from electronic media before the media are made available for re-use. The hand-me-down workstation is a real and routine exposure in a growing practice, and it is one the rule names directly.

164.310(d)(2)(iii), Accountability (addressable), asks you to maintain a record of the movements of hardware and media and the person responsible. In a one-building practice that can feel like bureaucracy. With two buildings and a car, it is just asset tracking.

Opening a site is a trigger, not a project milestone

HHS's guidance lists what should prompt fresh analysis: if an entity “has experienced a security incident, has had change in ownership, turnover in key staff or management, is planning to incorporate new technology to make operations more efficient, the potential risk should be analyzed.” It also states that a truly integrated risk analysis and management process “is performed as new technologies and business operations are planned, thus reducing the effort required to address risks identified after implementation.”

A new clinic is a new business operation. The guidance's own logic says analyze it while planning it — not after the ribbon is cut. And 164.308(a)(8) requires evaluation “in response to environmental or operational changes affecting the security of electronic protected health information.” A second building is the most literal environmental change available.

The cheap version of this is a walkthrough during the buildout, when you can still move a workstation, specify a lock, or ask for a door. The expensive version is discovering after go-live that the records room shares a wall with a public corridor.

A second-site checklist

  1. Add site two to the ePHI inventory before opening, not at the next review.
  2. Walk the new building against 164.310 — doors, closets, screen sightlines, visitor path, after-hours access. Do it during buildout.
  3. Give every cross-site access grant an end date at the moment you grant it.
  4. Schedule the access review for 30 days after go-live, when the temporary grants have outlived their reason.
  5. Check unique user identification survived the launch. Look for the shared front-desk login.
  6. Resize audit log review for the new volume, per 164.308(a)(1)(ii)(D).
  7. Re-examine contingency plans for two sites, in both directions.
  8. Start a media movement log the day the first laptop travels.
  9. Set timeouts from site two's own floor plan, not site one's.
  10. Document all of it and retain per 164.316(b)(2)(i) — six years from creation or last in effect, whichever is later.

The instinct to treat site two as a copy of site one is what causes the problem. The EMR tenant copies. The building does not.

Common questions

If we run one EMR across two clinics, do we need one risk analysis or two?

The Security Rule does not count engagements, it defines scope. 45 CFR 164.308(a)(1)(ii)(A) requires an assessment of risks to all ePHI held by the organization, and HHS guidance states that electronic media includes a single workstation as well as complex networks connected between multiple locations, and that the analysis should take into account all ePHI regardless of the source or location of that ePHI. So the requirement is that both buildings are inside the scope. Whether you document that as one analysis covering two facilities or two analyses is your choice. What is not a choice is leaving the second site out.

Does the HIPAA Security Rule mention multiple facilities?

Yes, explicitly. 45 CFR 164.310(a)(1), the facility access controls standard, requires policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed. The plural is in the regulation itself. HHS risk analysis guidance also states that electronic media includes complex networks connected between multiple locations. The rule anticipates that a single regulated entity may operate more than one building, and it expects physical access to be controlled at each of them.

What is the biggest EMR access risk when opening a second location?

Role sprawl during the rollout. Staff working temporarily across both sites get access to both, and the temporary access is rarely removed. 45 CFR 164.308(a)(4)(ii)(C), access establishment and modification, is addressable and requires policies and procedures to establish, document, review, and modify a user's right of access. The review and modify half is the part that lapses. 164.308(a)(3)(ii)(A) is also relevant because it covers authorization and supervision of workforce members who work with ePHI or in locations where it might be accessed, which is a location-aware requirement, not just a role-based one.

Does a cloud EMR mean the second location needs no physical safeguards?

No. A cloud EMR removes the server from the second building; it does not remove the building. The physical safeguards at 45 CFR 164.310 apply wherever ePHI is accessed. That includes facility access controls at 164.310(a)(1), workstation use at 164.310(b) including the physical attributes of the surroundings, workstation security at 164.310(c), and device and media controls at 164.310(d), where disposal and media re-use are both labeled Required. A second clinic with no server still has screens, printers, laptops, and a back room.