Security Rule Physical Safeguards
The HIPAA Security Rule contains three types of required standards of implementation that all business associates and covered entities must abide by. These standards are Administrative Safeguards, Physical Safeguards, and Technical Safeguards. In part 1 of this series, we examined in detail the administrative safeguards required under HIPAA. In part 2, we will pivot to the next set.
Physical Safeguards are the policies and procedures for protecting PHI within electronic information systems, equipment, and the buildings they are housed in from unauthorized intrusion. Common examples of Physical Safeguards include:
Facility Access Controls
- Contingency Operations (A): Refers to physical security measures entities established in the event of the activation of contingency plans and employed while the contingency plans required by the Administrative Safeguards are active. These operations will be in motion during or immediately after a breach or emergency situation.
- Facility Security Plan (A): Defines and documents the safeguards used by the covered entity to protect the facility or facilities. Facility security plans document the use of physical access controls, and these controls must ensure that only authorized individuals have access to facilities and equipment that contain EPHI. Some common examples are things like signs of restricted areas, locked doors, private security to patrol the facility, identification badges and/or surveillance cameras.
- Access Control and Validation Procedures (A): These procedures are the means by which a covered entity will actually determine which employees should have access to certain locations within the facility based on their role or function. The access permissions will depend on the covered entity’s environmental characteristics. In a large organization, because of the size of their workforce and large number of visitors, they would have to validate every time for every visit. In a small doctor’s office it may not be necessary to check identity every time he or she visits, because the identity would already be known.
- Maintenance Records (A): Requires that covered entities document repairs and modifications to the physical components of a facility which are related to security. Hardware, walls, doors and locks are just some examples. In a large organization, various repairs and modifications of physical security components may need to be documented in more detail and maintained in a database. For a small office, documentation may simply be a logbook that notes the date, reason for repair or modification and who authorized it.
Workstation Use (R)
Workstation is defined in the rule as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” Inappropriate use of computer workstations, like going onto unprotected sites or clicking on sketchy links in a suspicious email, can expose a covered entity to risks, such as virus attacks, compromising information systems, and breaches of confidentiality.
Workstation Security (R)
Workstation Security standard addresses how workstations are to be physically protected from unauthorized users. This standard requires that covered entities: “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.” An example would be keeping physical access to the workstation in a secure room where only employees who are authorized to have access to the workstation can enter.
Device and Media Controls
- Disposal (R): When covered entities dispose of any electronic media that contains EPHI they should make sure it is unusable and/or inaccessible. This can be done by either physically damaging the electronic media making it inaccessible or degaussing (running a magnetic field over the magnetic media to erase the data).
- Media Re-use (R): Instead of disposing of electronic media, covered entities may want to reuse it. To do so, covered entities must: “Implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse.” Internal re-use may include re-deployment of PCs or sharing floppy disks. External re-use may include donation of electronic media to charity organizations or local schools.
- Data Backup and Storage (A): This specification protects the availability of EPHI and is similar to the Data Backup Plan for the contingency plan standard of the Administrative Safeguards. This is required when moving data from one hard drive to another so that there is a backup copy if something happens to the original data. Therefore, it’s likely that both implementation specifications may be included in the same policies and procedures. Larger organizations may implement policies that require users to save all information on the network, thus eliminating the need for a hard drive backup prior to the move.
- Accountability (A): The covered entity must: “Maintain a record of the movements of hardware and electronic media and any person responsible therefore.” If a covered entity’s hardware and media containing EPHI are moved from one location to another, a record should be maintained as documentation of the move.