While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information, or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).
The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.
HIPAA Physical Safeguards can be broken down into the following standards:
- Facility Access Control: This standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilties in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
- Contingency Operations
- Facility Security Plan
- Access Control and Validation Procedures
- Maintenance Records
- Workstation Use: A worksation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entitiies must implement policies and procedures surrounding the functions and physcial attributes of any worksation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromise of information systems, and breaches of confidential information.
- Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, convered entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.
- Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
- Disposal
- Media Re-Use
- Accountability
- Data Backup and Storage
In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:
- Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
- Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as record.
- Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.
These are examples of general steps that will help covered entities comply with HIPAA. It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.
In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.
In the upcoming Part II of these series, we will delve into the Technical Safeguards of the HIPAA Privacy Rule.
By Anirudh Nadkarni.
Click HERE to read about 24By7Security Security Risk Assessment services, which include a comprehensive review of the various safeguards specified in the HIPAA Security Rule.
