HIPAA Security Rule: What are Physical Safeguards?
Within the HIPAA Security, the second rule that was passed as part of the HIPAA legislation back in early 2005. Alongside a few other safeguards, the Security Rule mandates compliance with certain Physical Safeguards that are intended to ensure the protection of electronic protected health information (ePHI) when it is held in actual, physical form. Now that most organizations handle PHI in a mostly digital format, people may have neglected the importance of paying attention to the physical security of this information. We’ll go through everything that you need to know about Physical Safeguards including what they are, what policies regulate their security & best practices for protecting them.
HIPAA Security Rule Overview
The HIPAA Security Rule requires three kinds of safeguards that organizations must implement: administrative, physical, and technical safeguards. Today we’ll focus on technical safeguards that outline the protections that organizations need to be taking to protect electronic protected health information (ePHI).
Since cybersecurity is a hot topic in the world of HIPAA and the health industry as a whole, that tends to be the aspect of information security that organizations focus on. However, physical security measures are just as important as those cybersecurity measures. Luckily, the HHS has set out clear guidelines and standards that are mandated to be in place for these organizations to prevent any unnecessary risk to the physical copies of PHI.
What are Physical Safeguards?
According to the text of the HIPAA Security Rule, physical safeguards are defined as “the physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” In terms of evaluating and implementing the proper physical safeguards, it is key that an organization thinks through every potential way for PHI to be accessed physically through their operations.
There are four main physical safeguards that companies should plan for and operate according to. Just as we saw with the Technical Safeguards piece of the Security Rule, some of the standards are considered “necessary” while others are “addressable”. What HIPAA means by an addressable standard is that healthcare organizations should use these security measures and apply them reasonably and appropriately to their specific technologies and company elements. It is important to remember that the addressable safeguards are not optional but instead are customizable by the organization.
Facility Access Controls
The first of these safeguards, facility access controls, set the policies and procedures that limit access to the actual facilities that contain the servers, computers, or other places that hold ePHI. In addition to preventing unauthorized access to these facilities, the controls that are implemented must still allow for authorized access to occur. All four of the specific “facility access controls” are considered “addressable” standards.
- Contingency Operations: Create procedures and plans that can be used to allow facility access and emergency operations in the event of a natural disaster or another emergency.
- Facility Security Plan: This is the facility access standard we typically think of - introducing procedures to prevent unauthorized access, theft, or tampering of the facility or any devices.
- Access Control and Validation Procedures: Generate processes for limiting and controlling individual’s access facilities or software programs based on their position and need. This may include having a visitor access protocol as well.
- Maintenance Records: Maintain protocol for documenting all maintenance, repairs, or changes to the facility as it may relate to security. (ex: locks, doors, hardware, etc..)
Device and Media Controls
Beyond access to the physical facilities of an organization, covered entities and business associates must also control the devices and other mediums that access ePHI. The law defines the device and media controls related to the “removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” This can refer to hard drives, any transportable digital memory cards, tapes, or disks. Within device and media controls, there are four specific standards - two of these are specifically required and the other two are addressable according to the organization’s specifications.
Required Standards
- Disposal: Maintain procedures for the proper final disposal of ePHI or the devices and hardware that it is stored on.
- Media Re-use: Implement protocols for removing ePHI from any form of media before that media is available for re-use.
Addressable Standards
- Data Backup and Storage: Create an exact backup copy of ePHI that is separately easily retrievable before ePHI containing equipment is moved.
- Accountability: Keep a clear record of all movements of media or hardware, including location and person in possession.
Workstation Security
The next standard revolves around the definition of a workstation as being “an electronic device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” Organizations will need to run an analysis of their operations to determine all of the devices that would qualify a workstation for them. Then they must take the necessary steps to then place physical safeguards on each and every workstation in order to prevent unauthorized access to these locations. Both of the standards mentioned underneath workstation security are required, although the recent increase in remote working can present additional challenges.
- Workstation Security: Implement safeguards for all workstations that allow access to ePHI to the correct users but restrict access to all potential unauthorized users.
- Workstation Use: Specify the authorized functions that a certain device is authorized to perform and the websites or actions that can be accessed by users on these organization-owned devices. Since unauthorized use of these workstations can present additional risks, companies must implement this standard.
Each of these standards, specified by the HHS as the Physical Safeguards under the HIPAA Security Rule, are intended to set physical measures and policies to protect Electronic Protected Health Information in all buildings, equipment, and digital forms. When implemented correctly and completely, these standards should protect covered entities and business associates from unauthorized access and data loss in the event of a disaster. More information about each of these standards and implementation specifications can be found in this HHS guide.