- HIPAA physical safeguards are an essential aspect to any covered entity’s PHI security, but could easily be overlooked. Technical safeguards and administrative safeguards could easily be pushed to the forefront of a covered entity’s overall health data security plan. However, physical safeguards are also critical, and must be able to work seamlessly with the other two federal requirements.
Whether an organization needs to review its storage methods for portable devices, or is considering a new system for its security cameras, understanding the basic needs for HIPAA physical safeguards is an important aspect in keeping an organization’s sensitive data secure.
What are HIPAA physical safeguards?
The HIPAA Security Rule describes physical safeguards as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Essentially, a covered entity needs to consider all physical access to ePHI. Everything from the healthcare organization office, to employees’ homes, or even a separate physical storage center needs to be properly secured.
As portable media, such as USB drives and laptops, increase in popularity at healthcare organizations, it is very necessary for those entities to understand how to keep that media secure. This includes going beyond putting a password or even encryption option on the device, but also ensuring that the device itself cannot be easily stolen, lost or inappropriately accessed.
As with other HIPAA safeguard requirements, a healthcare organization must implement physical policies and procedures that are appropriate for its regular operations. For example, a small covered entity might not necessarily need video monitoring systems, and if portable devices are not even in use, then there is not a need to require that they be kept under lock and key. However, all organizations would benefit from locking office doors and from having some sort of security system in place.
Facility access and control
One of the key aspects for covered entities to consider when implementing physical safeguards is facility access and control. The physical access to electronic systems must be limited, and healthcare organizations must ensure that only authorized users are able to access the information.
There are four implementation specifications for covered entities to follow:
- Contingency operations
- Facility security plan
- Access control and validation procedures
- Maintenance records
All four of these specifications are considered “addressable,” meaning that it is not technically required for healthcare organizations to use them. However, this does not mean that they should not be used at all. Rather, entities must determine what is appropriate for their specific operations, and then implement the necessary security measures.
Contingency operations require that healthcare organizations “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”
The facility security plan is when an organization ensures that the actual facility is protected from unauthorized access, tampering or theft. For example, this is where a covered entity would consider surveillance cameras, property control tags, ID badges and visitor badges, or private security patrol.
Access control and validation procedures refer to ensuring that individuals are only given access that is appropriate for their job function.
“The purpose of this implementation specification is to specifically align a person’s access to information with his or her role or function in the organization,” explains the HIPAA Security Series. “These functional or role-based access control and validation procedures should be closely aligned with the facility security plan.”
Finally, the maintenance records aspect dictates that healthcare organizations must regularly check for and then implement as necessary, any security updates or modifications. All repairs and changes must be documented. For example, a logbook that notes the date, reason for a particular repair and then who authorized it could be beneficial.
Workstation use and device security
The second key portion of HIPAA physical safeguards discusses workstation use and device security. Organizations “must implement policies and procedures to specify proper use of and access to workstations and electronic media,” and have the necessary policies and procedures “regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.”
When determining workstation security a covered entity needs to consider the environment. Is it in a public place? How many people access the workstation? From there, healthcare organizations must implement appropriate security measures. There are no implementation specifications, but covered entities must implement measures that apply to their daily workflow and facility.
For device and media control, organizations must adhere to the following specifications:
Disposal (Required): When electronic media is disposed, covered entities must ensure that it is unusable and/or inaccessible. This could be done by applying a strong magnetic field to the device - also known as degaussing - or the media could be damaged beyond repair.
Media Re-Use (Required): When an organization wants to reuse a piece of media, such as a computer or a floppy disc, it must remove all ePHI before it is used again.
Accountability (Addressable): This requires that records are kept on where hardware and electronic media are moved, and who has access to them. This is most applicable with portable workstations or portable devices. Whenever an item is moved, it must be properly documented. However, if a covered entity does not use portable devices, this may not be a necessary measure.
Data backup and storage (Addressable): This requires that “a retrievable, exact copy” of ePHI is created before equipment is moved. For example, a backup hard drive could be made when an organization is moving. Or perhaps all information must be shared to the main network, which would eliminate the need for a backup hard drive.
Maintain HIPAA compliance
As stated earlier, HIPAA physical safeguards are a crucial piece to a healthcare organization’s larger data security plan. They must be implemented in a way that balances and works with administrative and technical safeguards.
It is up to covered entities to look at their daily operations and workflow needs to determine what the best options are for physical safeguards, and then ensure that employees at all levels adhere to them.