In this week’s “Know The Rules!,” I am sharing details about the Physical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards, 45 CFR § 164.310.
An important step in protecting electronic protected health information (ePHI) is to implement reasonable and appropriate physical safeguards for information systems and related equipment and facilities.
The HIPAA Security Rule defines Physical Safeguards as:
“Physical measures, policies and procedures to protect a CE’s and BA’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
As with all the standards in the HIPAA Security Rule, compliance with the Physical Safeguards standards requires Covered Entities (CEs) and Business Associates (BAs) to perform an evaluation of their security controls already in place, an accurate and thorough risk analysis, and a series of documented solutions derived from a number of factors unique to their organization.
- Facility Access Controls – 45 CFR § 164.310(a)(1)
- Contingency Operations (A)
- Facility Security Plan (A)
- Access Control and Validation Procedures (A)
- Maintenance Records (A)
- Workstation Use – 45 CFR § 164.310(b)
- Workstation Security – 45 CFR § 164.310(c)
- Device Media Controls – 45 CFR § 164.310(a)(1)
- Disposal (R)
- Media Re-use (R)
- Accountability (A)
- Data Backup and Storage (A)
The following table contains a list of possible Security Area to Consider and Examples of Potential Security Measure for the Physical Safeguards.
Although the Physical Safeguard standard specifically references “workstations,” this is defined in the HIPAA Rules as:
“A computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.”
Portable electronic devices are included in this definition which includes tablets, smart phones, and similar portable electronic devices (and easily portable Thumb Drives). You should know physical security controls are often the simplest and least expensive forms of protection to secure PHI.
Some physical security controls may even have no cost incurred to implement – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use. Another method is to limit the amount of PHI they contain.
Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change. It is NOT a sprint, but instead a MARATHON!!
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.