Security is vital to your healthcare organization, but too many think of it just as cybersecurity. Physical security is equally important. The HIPAA Security Rule includes a section on required physical safeguards. Without control over physical access, your patients' personal health information isn't safely protected. Walking away with information doesn't take any high-tech skills.
Healthcare providers need to give electronic protected health information (ePHI) strong protection under the HIPAA Security Rule and Privacy Rule. Information breaches where negligence is a contributing factor can result in expensive penalties. Physical safeguards are an essential part of security. Unauthorized physical access to computers makes it easier for intruders to circumvent technical safeguards.
The Security Rule cites two areas under physical safeguards:
The rule makes it clear that one size doesn't fit all when implementing physical safeguards. Large organizations with many records need more elaborate physical access control than small practices. The nature of the practice matters as well. A clinic specializing in sexually transmitted diseases, for instance, should exercise an extra measure of care.
Some considerations may not apply to your organization. If you have a strict prohibition on removable media, you don't need to deal with their protection and re-use to be HIPAA compliant.
The HIPAA Security Rule says that you have to "limit physical access to [your] facilities while ensuring that authorized access is allowed." The details of security controls depend on the facility.
Hospitals face a special challenge. Patients are present day and night. This increases the risk of unauthorized access to protected health information, but they can't turn the place into a prison. Doctors rushing to an emergency can't be stopped and questioned. A hospital needs to keep its electronic data out of the reach of patients and visitors without interfering with its functions. It needs cameras, a well-trained security staff, and careful thinking about visitor control.
Labs that don't normally have outsiders present have an easier job guarding their ePHI. However, they may hold a lot of confidential test results relative to their size, and they need to keep the information safe from unauthorized intrusion. All types of covered entities have their distinctive requirements and should run their own risk analysis. They need to control access to areas that hold their electronic media and ePHI.
The policies should cover actions in the event of an emergency. Maintaining full security while in emergency mode is impractical, but there should be an orderly procedure.
Healthcare facilities commonly hold or access patient information with workstations, tablets, smartphones, and hard drives. The HHS requirements for device and workstation security cover (1) use and access of devices and (2) movement of media.
You have to implement policies and procedures for access to workstations and media. Unattended workstations should be password-locked. They shouldn't be put in public areas where intruders could easily tamper with them or steal them.
Physical access controls should include internal restrictions as well. Each person's access should be limited to what's needed to do the job. Keeping workstations and media in locked or restricted areas hinders unauthorized intrusion and improper workstation use. These areas should have sign-in logs to track when people enter and leave.
Maintenance records should track everything which has been added or changed in a device. Checking devices against them will help to guard against tampering.
Sometimes it's necessary to take computers and media from one location to another. This requires special care. If a third party handles the transportation, have them sign a Business Associate agreement. Verify that the items reach their destination with no signs of tampering.
Printers need careful attention. If employees print out personal health information, company policies should instruct them to go immediately to the printer to pick it up. They need to protect printed information from being seen by unauthorized observers.
Removal of hardware and media is a delicate concern. When a leased computing device is returned, it needs to be thoroughly wiped before going outside your control. Media re-use calls for careful handling. Never throw anything in the trash or recycling before making sure no confidential information can be retrieved from it.
HIPAA compliance in protecting electronic information systems has to cover all levels, from a facility security plan through workstation security to network management. A security policy needs to include all of these areas to make sure no gaps exist. Conducting a risk assessment needs to cover physical measures and weaknesses as well as cybersecurity concerns.
Be sure that your organization's security standards are fully HIPAA compliant. Physical and technical protection of information needs expertise in security issues.
We can help you to protect all aspects of information access with our HIPAA Penetration Testing. Get in touch with RedTeam Security at (952) 836-2770 for a security assessment or schedule a free consultation with our HIPAA Penetration Experts
 Summary of the Security Rule (hhs.gov)