In part one of this three-part series, we discussed what HIPAA’s Security Rule’s Administrative Safeguards require and why these safeguards need to be implemented. In today’s post, we’re providing the same type of overview with its Physical Safeguards.
The U.S. Department of Health & Human Services defines physical safeguards as the “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
There are four main requirements with the Security Rule’s Physical Safeguards:
Facility Access Controls (§ 164.310(a)(1))
It’s mandatory for covered entities to limit the physical access to their facilities and information while guaranteeing that access is allowed to those with the right authorization. This aspect of Physical Safeguards includes four subset to ensure all of a Covered Entities physical locations are secure.
Contingency Operations (§ 164.310(a)(2)(i))
In the event of an activation of a contingency plan, CEs must have a plan in place for securing ePHI data. You never know when disaster will strike, having processes in place to access and secure facilities before it happens is necessary.
An example would be as part of the D.R. Plan, ensure IS personnel have a way to access the data facility in the event of a disaster or emergency.
Facility Security Plan (§ 164.310(a)(2)(ii))
The Facility Security Plan is where CEs need to document each physical access control in-use. Policies and procedures here should ensure the facility is protected from unauthorized access, theft, and/or tampering.
An example would to be to establish a Policy and Procedure whereby each of the organization’s locations are required to take steps to physically secure computers connected to ePHI systems and control physical access to the premises.
Access Control and Validation Procedures (§ 164.310(a)(2)(iii))
Here, CEs will delve into more detail from the Facility Security Plan. Specifically, the access to facilities based on job role and function. In addition, CEs must have procedures and policies regarding visitor controls and software testing controls.
An example would be to establish a procedure where all staff must have organization-issued badges displayed at chest-height at all times during clinic operations. Require all vendors (e.g. Drug Reps, Consultants, Contractors, Auditors, etc.) sign in and provided a VISITOR badge.
Maintenance Records (§ 164.310(a)(2)(iv))
A CEs facility will undoubtedly require physical maintenance; such as changing locks and installing new security systems. The Maintenance Records provision requires for policies and procedures to exist to ensure documentation of such events.
An example would be to establish a Policy and Procedure where all security-related repairs and modifications are authorized and tracked/logged.
Workstation Use (§ 164.310(c))
Covered entities are also required to enforce company guidelines and processes that identify the proper access and use of company workstations. A “workstation” is defined in the HIPAA Security Rule as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”
Improper use of computer workstations may lead to threats from viruses and hackers, as well as confidentiality breaches. It’s essential for CEs to implement proper procedures to ensure compliant workstation use. This includes all off-site work stations, too!
An example would be to establish an Acceptable Use Policy that contains sections addressing acceptable use of computer systems and workstation environment.
Workstation Security (§ 164.310(c))
While it may seem at first that Workstation Use and Workstation Security are one in the same, they have a key point of difference. The Workstation Use standard includes no implementation specifications. However, the Workstation Security standard outlines the policies and procedures for how workstations should be used and protected.
An example would be to apply measures to ensure all workstations are physically secured from unauthorized access (i.e. away from public areas and screens angled away from public areas).
Device and Media Controls (§ 164.310(d)(1))
Similar to Workstation Use, in order to meet the Device and Media Controls standard, CEs must ensure all documents that transmit or contain ePHI data are secure. This standard also further specifies that policies and procedures must be in place that cover the receipt, removal, backup, storage, reuse, disposal and ownership of electronic media.
Examples to cover this specification would be to:
- Establish a Policy and Procedure outlining secure disposal techniques ensuring all ePHI is adequately destroyed on old computer media before disposal or re-use;
- Establish a Policy where staff is provided guidance on encrypting ePHI downloaded to any electronic media (including laptops, smartphones, etc.);
- Establish a Procedure to conduct a full backup of any ePHI systems prior to being moved;
- Evaluate & deploy an inventory IT asset management tracking and security (i.e. remote wipe) system for laptops, smartphone, tablets and digital media assets (i.e. backup tapes, desktops) containing ePHI; and
- Assign the responsibility of maintaining the IT asset management system to document movement of all ePHI repositories.
Most HIPAA violations relating to the Security Rule’s Physical Safeguards deal with paper documents, human error and the loss or theft of a mobile device. Any violation to the HIPAA Security Rule runs a high-probability of severe fines, being fired, office closures and even some jail time. You don’t want your organization or any of your employees to face these consequences, which is why it’s so critical for each of your employees to understand HIPAA’s Security Rule and each of its three safeguards. Education will help prevent violations and help establish a proper communications & awareness effort such that the organization remains HIPAA compliant and in control of its breach-related risks.
Make sure to check our blog in the near future to read the last post in this series and learn about HIPAA’s Security Rule’s Technical Safeguards.