HIPAA Physical Safeguards

Facility Access Controls - § 164.310(A)(1)

Practices must limit physical access to its facilities while ensuring that authorized access is allowed.

Contingency Operations - § 164.310(a)(2)(i)

The Contingency Operations section of the Physical Safeguards reflects the plans and security measures that must be undertaken when establishing the contingency operations defined in the Administrative Safeguards section.

Potential items to consider:

  1. In the event of a disaster (such as loss of power or hurricane) how will ePHI on devices in the practice be protected? How will personnel get in to restore data and systems?
  2. Is there a list of specific people allowed and/or not allowed in the facility during disaster recovery?

Facility Security Plan - § 164.310(a)(2)(ii)

Facility security plans must document the use of physical access controls. These controls must ensure that only authorized individuals have access to facilities and equipment that contain EPHI. In general, physical access controls allow individuals with legitimate business needs to obtain access to the facility and deny access to those who do not.

Procedures must also be used to prevent tampering and theft of EPHI and equipment.

Things include in the plan include:

  • Door locks for the exterior as well as interior doors. This would include treatment rooms where workstations may be located and unattended.
  • Alarms.
  • Cameras or even mirrors to see around corners.
  • Asset tags and records of models and serial numbers for equipment.
  • Large facilities should consider identification badges and visitor badges.

Each facility is different and has unique physical security risks, no cookie-cutter solution works everywhere.

Access Control And Validation Procedures - § 164.310(a)(2)(iii)

This regulation is the physical companion to the logical access to ePHI data through computer accounts, login, passwords, and access groups. This portion of the HIPAA security rule requires practitioners to formalize the procedures for allowing people into various parts of the facility.

In small practices where everyone knows each other, the challenges may be much smaller than those larger facilities, clinics and shared practices; however the need to formalize, record, and educate staff about the procedures is just as important.

Things to consider when preparing formal access control procedures:

  • Who is allowed into treatment rooms and specific administrative spaces?
  • Are there times when access should be prohibited?
  • Are escorts required?
  • Do the procedures define the methods for controlling and validating an employee or vendor access to facilities, such as identification badges?
  • Should unattended areas have entry control devices such as door locks with keypads or key cards?

As with physical controls, access control requirements will vary from facility to facility with no single “right” mix. The specific risks of each facility should be addressed with specific controls to mitigate those risks.

Maintenance Records - § 164.310(a)(2)(iv)

From the regulation:

“Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).”

For smaller facilities, this may be accomplished by a simple log book. In larger ones a database system may be necessary.

Workstation Use - § 164.310(B) and Workstation Security - § 164.310(C)

From the regulation:

“Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

And

“Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

What HHS is trying to accomplish with these parts of the Security Rule is to have practices give consideration the physical, not just logical, aspects of computers and ePHI.

Questions to consider are:

  1. Where are all the devices that access ePHI?
  2. Are there devices that do not contain ePHI? How are they identified?
  3. Are they measures in place to prevent information displayed on the screens from being observed?
  4. Are there measures in place to prevent devices from being stolen from the facility?
  5. Are they all conventional computers, or do they include more portable devices such as mobile phones, tablets and laptops? If so, what rules are in place as to where they can be taken, how to prevent theft, and how to ensure that in the event of device theft that ePHI is not disclosed?
  6. Where can mobile devices be used? How will the ePHI they carry be protected from disclosure on home or public networks?
  7. Are all these policies documented and understood by the entire staff?

Device And Media Controls - § 164.310(D)(1)

If there is PHI, it is stored on media of some sort. When that media is no longer needed, it needs to be properly disposed of. This includes all media, whether it is attached to a computer such as a disk drive or USB device, or paper, or film. It all must be properly handled.

Disposal - § 164.310(d)(2)(i)

Probably the best way to handle unneeded media is simply to ensure destruction of that media. Burning and shredding are appropriate for paper and film media. For electronic media there are other options available such as degaussing if the equipment is available. Physical destruction of devices by trusted individuals or organizations is a widely available option.

Media Re-Use - § 164.310(d)(2)(ii)

If a practice wants to re-use media that has contained ePHI (or wishes to sell or donate equipment), there are methods that can be used to effectively remove ePHI from the media device so that it no longer requires protection.

For magnetic media, there are many software packages that can be used to overwrite the entire device several times, effectively destroying the data. Look for software that follows the standard DOD 5220.22-M.

This method cannot be used for solid state devices such as USB sticks for SSDs. They are based on different storage methods and use of this type of software will significantly shorten the life of the device if not destroying it entirely.

The best method, however, is applying full disk encryption to all media devices. By simply eliminating the key, none of the data on the device is recoverable and by definition has no ePHI on it.

Accountability - § 164.310(d)(2)(iii)

From the regulation:

“Maintain a record of the movements of hardware and electronic media and any person responsible therefore.”

Methods are not specified here, but practices must comply with the concept. This must dovetail into how computers and portable devices are used within the practice.

Identification of all devices containing ePHI will be a key component to successfully meeting this requirement. Devices here include portable media such as memory cards, USB drives, and DVDs. Encrypt everywhere possible.

Data Backup And Storage - § 164.310(d)(2)(iv)

From the regulation:

“Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”

This is a basic rule of smart computing. Backup everything that could possibly be affected by any type of adverse operation, physical or logical. 99% of the time it will never be needed, but having it will keep you afloat during that 1% when you do.