traffic_analyzer/DigitalVision V

Common HIPAA Physical Safeguards Under The HIPAA Security Rule

HIPAA physical safeguards are crucial to protecting electronic protected health information (ePHI) and are essential to maintaining HIPAA compliance.

HIPAA physical safeguards are an essential aspect to any covered entity’s PHI security, but could easily be overlooked. Technical safeguards and administrative safeguards could easily be pushed to the forefront of a covered entity’s overall health data security plan. However, physical safeguards are also critical, and must be able to work seamlessly with the other two federal requirements.

Whether an organization needs to review its storage methods for portable devices, or is considering a new system for its security cameras, understanding the basic needs for HIPAA physical safeguards is an important aspect in keeping an organization’s sensitive data secure.

What are HIPAA physical safeguards?

The HIPAA Security Rule describes physical safeguards as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Essentially, a covered entity needs to consider all physical access to ePHI. Everything from the healthcare organization office, to employees’ homes, or even a separate physical storage center needs to be properly secured.

As portable media, such as USB drives and laptops, increase in popularity at healthcare organizations, it is very necessary for those entities to understand how to keep that media secure. This includes going beyond putting a password or even encryption option on the device, but also ensuring that the device itself cannot be easily stolen, lost or inappropriately accessed.

As with other HIPAA safeguard requirements, a healthcare organization must implement physical policies and procedures that are appropriate for its regular operations. For example, a small covered entity might not necessarily need video monitoring systems, and if portable devices are not even in use, then there is not a need to require that they be kept under lock and key. However, all organizations would benefit from locking office doors and from having some sort of security system in place.

Facility access and control

One of the key aspects for covered entities to consider when implementing physical safeguards is facility access and control. The physical access to electronic systems must be limited, and healthcare organizations must ensure that only authorized users are able to access the information.

There are four implementation specifications for covered entities to follow:

  • Contingency operations
  • Facility security plan
  • Access control and validation procedures
  • Maintenance records

Contingency operations require that healthcare organizations “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”

Facility access controls may vary during contingency operations based on the size of the organization.

Facility security plans are used to document and define the physical controls employed by a covered entity. For example, facility security plans should put procedures in place to prevent tampering or theft of ePHI by establishing things like restricted areas, surveillance cameras, and alarms.  

Access control and validation procedures refer to ensuring that individuals are only given access that is appropriate for their job function.

“The purpose of this implementation specification is to specifically align a person’s access to information with his or her role or function in the organization,” the HIPAA Security Series explains.

“These functional or role-based access control and validation procedures should be closely aligned with the facility security plan.”

Finally, the maintenance records aspect dictates that healthcare organizations must regularly check for security updates or modifications and implement them as necessary. All repairs and changes must be documented. For example, a logbook that notes the date, the reason for a particular repair, and who authorized it could be beneficial.

Workstation use and device security

The second key component of HIPAA physical safeguards is workstation use and device security. According to HIPAA, organizations must “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

When determining workstation security, a covered entity needs to consider the environment. Is it in a public place? How many people access the workstation? From there, healthcare organizations must implement appropriate security measures. There are no implementation specifications, but covered entities must implement measures that apply to their daily workflow and facility.

For device and media control, organizations must adhere to the following specifications:

Disposal (Required): When electronic media is disposed, covered entities must ensure that it is unusable and/or inaccessible. This could be done by applying a strong magnetic field to the device—also known as degaussing— or the media could be damaged beyond repair.

Media Re-Use (Required): When an organization wants to reuse a piece of media, such as a computer or a floppy disc, it must remove all ePHI before it is used again.

Accountability (Addressable): This requires that records are kept on where hardware and electronic media are moved, and who has access to them. This is most applicable with portable workstations or portable devices. Whenever an item is moved, it must be properly documented. However, if a covered entity does not use portable devices, this may not be a necessary measure.

Data backup and storage (Addressable): This requires that “a retrievable, exact copy” of ePHI is created before equipment is moved. For example, a backup hard drive could be made when an organization is moving. Or perhaps all information must be shared to the main network, which would eliminate the need for a backup hard drive.

As stated earlier, HIPAA physical safeguards are a crucial piece of a healthcare organization’s larger data security plan. They must be implemented in a way that balances and works with administrative and technical safeguards.

It is up to covered entities to look at their daily operations and workflow needs to determine what the best options are for physical safeguards, and then ensure that employees at all levels adhere to them.

Next Steps

Dig Deeper on HIPAA compliance and regulation