Breaking Down the HIPAA Security Rule Physical Safeguards
Today I am breaking down the Physical Safeguards of the HIPAA Security Rule, 45 CFR § 164.310, into byte-size portions to help you understand how they are significant to your organization. The Physical Safeguards are physical measures, policies, and procedures to protect a regulated entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
Physical Safeguards Definition
The HIPAA Security Rule defines Physical Safeguards as:
“Physical measures, policies and procedures to protect a CE’s and BA’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
What are the Physical Safeguards?
An important step in securing electronic protected health information (ePHI) is to implement reasonable and appropriate physical safeguards for information systems and related equipment and facilities. When evaluating and implementing the standards, a regulated entity must consider all physical access to ePHI. This may extend outside of an actual office, and could include workforce members’ homes or other physical locations where they access ePHI.
As with all the standards in the HIPAA Security Rule, compliance with the Physical Safeguards standards requires regulated entities to perform a complete and thorough evaluation of their security controls already in place and a series of documented solutions derived from a number of factors unique to their organization.
The Physical Safeguards and their implementation specifications are:
Note: (R) = Required (A) = Addressable
- Facility Access Controls – 45 CFR § 164.310(a)(1)
- Contingency Operations (A)
- Facility Security Plan (A)
- Access Control and Validation Procedures (A)
- Maintenance Records (A)
- Workstation Use – 45 CFR § 164.310(b)
- Workstation Security – 45 CFR § 164.310(c)
- Device Media Controls – 45 CFR § 164.310(a)(1)
- Disposal (R)
- Media Re-use (R)
- Accountability (A)
- Data Backup and Storage (A)
Security Area to Consider
Although the Physical Safeguard standard specifically references “workstations,” this is defined in the HIPAA Rules as:
“A computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.”
Portable electronic devices are included in this definition which includes tablets, smart phones, and similar portable electronic devices (and easily portable Thumb Drives). You should know physical security controls are often the simplest and least expensive forms of protection to secure PHI.
Some physical security controls may even have no cost incurred to implement – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use. Another method is to limit the amount of PHI they contain.
Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change. It is NOT a sprint, but instead a MARATHON!!
Healthcare organizations and third-party vendors should understand that patients are entrusting them with their most private and intimate details, they do expect it to remain secure.