Security is vital to your healthcare organization, but too many think of it just as cybersecurity. Physical security is equally important. The HIPAA Security Rule includes a section on required physical safeguards. Without control over physical access, your patients’ personal health information isn’t safely protected. Walking away with information doesn’t take any high-tech skills.
Overview of HIPAA physical safeguards
Healthcare providers need to give electronic protected health information (ePHI) strong protection under the HIPAA Security Rule and Privacy Rule. Information breaches where negligence is a contributing factor can result in expensive penalties. Physical safeguards are an essential part of security. Unauthorized physical access to computers makes it easier for intruders to circumvent technical safeguards.
The Security Rule cites two areas under physical safeguards:
- Facility access and control.
- Workstation and device security measures.
The rule makes it clear that one size doesn’t fit all when implementing physical safeguards. Large organizations with many records need more elaborate physical access control than small practices. The nature of the practice matters as well. A clinic specializing in sexually transmitted diseases, for instance, should exercise an extra measure of care.
Some considerations may not apply to your organization. If you have a strict prohibition on removable media, you don’t need to deal with their protection and re-use to be HIPAA compliant.
Facility Access Controls
The HIPAA Security Rule says that you have to “limit physical access to [your] facilities while ensuring that authorized access is allowed.” The details of security controls depend on the facility.
Hospitals face a special challenge. Patients are present day and night. This increases the risk of unauthorized access to protected health information, but they can’t turn the place into a prison. Doctors rushing to an emergency can’t be stopped and questioned. A hospital needs to keep its electronic data out of the reach of patients and visitors without interfering with its functions. It needs cameras, a well-trained security staff, and careful thinking about visitor control.
Labs that don’t normally have outsiders present have an easier job guarding their ePHI. However, they may hold a lot of confidential test results relative to their size, and they need to keep the information safe from unauthorized intrusion. All types of covered entities have their distinctive requirements and should run their own risk analysis. They need to control access to areas that hold their electronic media and ePHI.
The policies should cover actions in the event of an emergency. Maintaining full security while in emergency mode is impractical, but there should be an orderly procedure.
Device And Workstation Use Under HIPAA Security Rule
Healthcare facilities commonly hold or access patient information with workstations, tablets, smartphones, and hard drives. The HHS requirements for device and workstation security cover (1) use and access of devices and (2) movement of media.
You have to implement policies and procedures for access to workstations and media. Unattended workstations should be password-locked. They shouldn’t be put in public areas where intruders could easily tamper with them or steal them.
Physical access controls should include internal restrictions as well. Each person’s access should be limited to what’s needed to do the job. Keeping workstations and media in locked or restricted areas hinders unauthorized intrusion and improper workstation use. These areas should have sign-in logs to track when people enter and leave.
Maintenance records should track everything which has been added or changed in a device. Checking devices against them will help to guard against tampering.
Sometimes it’s necessary to take computers and media from one location to another. This requires special care. If a third party handles the transportation, have them sign a Business Associate agreement. Verify that the items reach their destination with no signs of tampering.
Printers need careful attention. If employees print out personal health information, company policies should instruct them to go immediately to the printer to pick it up. They need to protect printed information from being seen by unauthorized observers.
Removal of hardware and media is a delicate concern. When a leased computing device is returned, it needs to be thoroughly wiped before going outside your control. Media re-use calls for careful handling. Never throw anything in the trash or recycling before making sure no confidential information can be retrieved from it.
Physical And Technical Safeguards For HIPAA compliance
HIPAA compliance in protecting electronic information systems has to cover all levels, from a facility security plan through workstation security to network management. A security policy needs to include all of these areas to make sure no gaps exist. Conducting a risk assessment needs to cover physical measures and weaknesses as well as cybersecurity concerns.
 Summary of the Security Rule (hhs.gov)
10-Point Offensive Security Checklist
Get A Bird's Eye View Of Your Organization's Security Readiness