HIPAA Physical Safeguards to Protect ePHI

HIPAA physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems, related buildings, and equipment.

The previous article was dedicated to HIPAA administrative safeguards to protect ePHI. In this article, we’ll focus on the physical safeguards. 

The HIPAA Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”  Covered entities should implement physical access controls, ensuring that only authorized personnel can enter areas where ePHI is stored or processed. These physical controls should include:

• Facility access controls;
• Workstation use;
• Workstation security;
• Device and media. 

When evaluating and implementing physical safeguards, a covered entity must consider all physical risks to ePHI. This may extend outside of an actual office and could include workforce members’ homes or other physical locations where they access ePHI. 

So, let’s explore the HIPAA physical safeguards deeper. 

Facility Access Controls 

Contingency Operations. Contingency operations refer to physical security measures entities establish in the event of the activation of contingency plans. For this, ensure your physical security plan addresses emergency access when, for instance, power is down and electronic access systems are not working. The way facility access controls are functioning during contingency operations differs depending on the organization. An Organization might deploy security personnel stationed at entry points and provide designated escorts for those authorized to enter the facility for data restoration. 

Facility Security Plan. The Facility Security Plan is a formal document that defines controls used to protect physical assets. Thus, covered entities must develop and implement a physical security policy to deal with physical threats related to the company’s facilities that handle ePHI data. With the plan, covered entities must ensure that only authorized individuals have access to facilities and equipment that contain ePHI while denying access to those without legitimate business needs. 

Access control and validation procedures. Physical access to different offices, rooms, and floors must be defined based on the job requirements. The purpose of this requirement is to align a person’s access to information with their role and responsibilities in the organization. The implemented controls will depend on the associated risk. For instance, there is a common practice to ask for proof of identity, such as a picture ID, before allowing access to a facility. Some organizations require verification at every entry point, while others may check the visitor’s identity only at the initial entry. 

Maintenance and records. Equipment used in the organization’s facilities must be maintained regularly and repaired as necessary. This includes changing locks, making routine HVAC maintenance checks, and installing new equipment devices. Document all these maintenance, repairs, changes, and installations.

Workstation Use 

HIPAA Security Rule defines a workstation as an electronic computing device, for example, a laptop or desktop computer, and electronic media stored in its immediate environment. Inappropriate workstation use can expose a covered entity to virus attacks, data breaches, and other security risks. So, organizations must develop and enforce configuration standards for workstations and mobile devices used for ePHI access. Such standards should include strong passwords, screen locks, hard drive encryption, malware protection, the latest security patches, etc. 

Covered entities should also implement Mobile Device Management (MDM) tools to enforce secure workstation configurations. Such solutions would also enable you to remotely locate, lock, and wipe devices if they get lost or stolen. 

It is necessary to implement secure connection methods for performing remote work. Secure Virtual Private Networks (VPN) is the most commonly used method that provides data encryption in transit and enforces strong authentication.

Finally, train all your workforce members on using the devices for accessing ePHI. 

Workstation Security

While the Workstation Use addresses policies and procedures on the workstation use, the Workstation Security addresses how to physically protect workstations from unauthorized users. For this, identify requirements for the physical protection of your workstations such as keeping the workstation in the office, using secure cables to prevent theft, using privacy screens, etc. 

Ensure your workforce members are always locking their workstations even when stepping away for a short time and check their surroundings to prevent shoulder surfing.

Devices and Media 

Electronic media refers to electronic storage media (hard drives) and any removable memory medium, such as a digital memory card…” Thus, covered entities must properly handle the electronic media including receipt, removal, backup, storage, reuse, disposal, and accountability.

The proper device and media controls require covered entities to implement policies and procedures that oversee the handling of hardware and electronic media containing ePHI.

Disposal. Establish a process and deploy necessary technologies (or use third-party services) for wiping any data unrecoverable before disposing of data media. Such media includes workstations, servers, removable storage, fax machines, printers, etc.

Media Re-use. Develop a process and implement necessary tools for removing ePHI from data media prior to re-use. This applies, for instance, when transitioning a workstation from a departing employee to a new one, or when repurposing a production server for non-production purposes.

Accountability. Maintain a list of all data media that contains ePHI (workstations, removable storage, backup media, etc.) Ensure all media containing ePHI has appropriate labels to easily identify the asset and tie it back to the inventory list.

Data backup storage. Set up a method for creating precise duplicates of any data that is physically dispatched to a different location. This measure guarantees data preservation and offers an accurate record of the data that was transferred.

How Planet 9 Can Help?

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in the healthcare industry who can help with addressing all HIPAA requirements. Our typical approach to HIPAA compliance consists of the following process:

• Conduct a discovery to understand the client’s organization, business processes, and technologies
• Perform a HIPAA evaluation to identify safeguards in place and compliance gaps
• Perform a risk analysis to identify risks to PHI
• Develop a roadmap for addressing the identified compliance gaps and risks
• Assist the client on executing the roadmap

Depending on the client’s internal resources’ expertise and availability, Planet 9 can implement the entire road map, position the client to execute the road map on their own or supplement the clients’ team.

You can also utilize the Planet 9 HIPAA Vitals application. The HIPAA Vitals assessment is based on several reputable sources including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals. The assessment scope is driven by the technical profile and other factors specific to the organization.

To stay updated on the recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646