When people talk about security in healthcare, they often relate to the security of technology, devices, or information stored. However, physical security is equally important. There’s an entire section on required physical safeguards under the HIPAA Security Rule. Without control over physical access, patients’ personal health information can be easily jeopardized. Nobody needs high-tech skills to walk away with information.
Overview of HIPAA Physical Safeguards
The HIPAA Security Rule defines physical safeguards as “the physical measures, policies, and procedures for protecting a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” An organization must think through every potential way for Protected Health Information (PHI) to be accessed physically during their daily operations.
HIPAA physical safeguards include four main implementation standards. Similar to the technical safeguards and administrative safeguards under the Security Rule, some of the physical safeguards are considered “required” while others are “addressable”. Addressable standards are, however, not optional. It just means that healthcare organizations should implement controls that are reasonable and appropriate to their specific technologies and company elements.
Let’s take a closer look at HIPAA Physical Safeguards with examples.
Facility Access Controls
The very first of these safeguards is Facility Access Controls. This safeguard requires organizations to set policies and procedures that limit access to the actual facilities that contain computers, servers, or other places that hold PHI. All four standards of Facility Access Controls are considered “addressable”. Besides preventing unauthorized access to facilities, these controls must allow authorized access to occur.
- Contingency Operations: This involves creating plans and procedures to allow facility access and emergency operations in the event of a natural disaster or another emergency.
- Facility Security Plan: This involves ensuring that the actual facility is protected from unauthorized access, theft, or tampering with the facility or any devices. For example, using surveillance cameras, property control tags, ID badges, and visitor badges.
- Access Control and Validation Procedures: This involves generating processes for limiting and controlling individual’s access facilities or software programs based on their position and need. Having a visitor access protocol is also necessary.
- Maintenance Records: Maintain protocol for documenting all maintenance, repairs, or changes to the facility as they may relate to security. (ex: locks, doors, hardware, etc.)
Device and Media Controls
The law defines the device and media controls related to the “removal of hardware and electronic media that contain electronically protected health information, in and out of a facility, and the movement of these items within the facility.”
In addition to securing physical facilities, covered entities and business associates must also control the devices and other mediums that access ePHI. This may include hard drives, any transportable digital memory cards, tapes, or disks.
Here are the four implementation standards (two addressable and two required):
- Disposal: Establish procedures for the proper disposal of ePHI or the devices or hardware that it is stored on. For example, applying a strong magnetic field to the device – also known as degaussing.
- Media Re-use: This involves having protocols in place for removing ePHI from any form of media before that media can be re-used.
- Data Backup and Storage: This involves making an exact copy of ePHI as a backup that is separately retrievable before ePHI containing workstation is moved. For example, create a backup hard drive when the organization is moving.
- Accountability: This involves maintaining a record of all movements of media or hardware, including location and person in possession.
And the next part is workstation security. It is defined in the Rule as “an electronic device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment”.
Organizations must run an analysis of their operations to determine the devices that could qualify as a workstation and then apply appropriate physical safeguards to prevent unauthorized access to these locations.
Both the implementation standards are required:
- Workstation Security: This involves having safeguards for workstations so that only correct users may have access to the workstations but restrict access to potential unauthorized users.
- Workstation Use: Specify the authorized functions that a certain device is allowed to perform and the websites or actions that can be accessed by users on these organization-owned devices. Since unauthorized use of these workstations can present additional risks, companies must implement this standard.
Manage Compliance Activities with HIPAA Ready
All the aforementioned standards when implemented correctly will protect covered entities and business associates from unauthorized access and data loss in the event of a disaster.
You can manage all these, for example, knowing which devices qualifies as a workstation and who’s in charge of that workstation, with HIPAA Ready. HIPAA Ready also helps to simplify the entire compliance process by allowing you to take actions based on your organizational requirements. The app also has a training management module that allows you to streamline training sessions, assign trainees, and keep track of who completed the training.