The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.

Stephanie Rodrigue discusses the HIPAA Physical Safeguards

What are Physical Safeguards?

According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.

There are four standards included in the physical safeguards. These include:

Facility Access Controls

These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.

Workstation Use

Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.

Workstation Security

Workstation security is necessary to restrict access to unauthorized users.

Device and Media Controls

Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.

How to Satisfy the HIPAA Physical Safeguard Requirements?

In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.

The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.

When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.

One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.

Stephanie Rodrigue discusses HIPAA Administrative Safeguards

What are Administrative Safeguards?

According to the Office for Civil Rights, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in the relation to the protection of that information.”

Examples of administrative controls can be things like employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.

In order to satisfy this requirement, your organization must demonstrate and provide evidence that you have the appropriate administrative controls in place and that they are operating effectively. This means that your risk analysis results have been analyzed, and the appropriate administrative controls and security measures have been put in place to effectively address these risks. For more help on determining whether you have the appropriate administrative controls in place, contact us today.

Now, with more than 200 Phase 2 HIPAA desk audits completed, Devin McGraw, Deputy Director of the Department of Health and Human Services’ Office for Civil Rights, is encouraging healthcare organizations to take a look at lessons learned from the completed desk audits to prepare for future HIPAA audit enforcement.

Understanding and navigating HIPAA audit enforcement has been on the minds of healthcare professionals for several years. Many covered entities and business associates have struggled to know what to focus on and in which areas they are lacking safeguards. Devin McGraw made an exclusive address at HIMSS17 to share with the healthcare industry the top findings from the 2016 Phase 2 HIPAA audits.

Top 8 Lessons Learned from Phase 2 HIPAA Desk Audits

Let’s look at the top 8 lessons learned from the Phase 2 HPAA audits and make sure you have all of these things in place before you’re audited by the OCR.

  • Lack of Business Associate Agreements

HIPAA law mandates that you have a signed agreement in place with any contractor or subcontractor who is considered a business associate. This means any vendor or third party that has access to protected health information (PHI) is required to sign a contract pertaining to the protection and use of that PHI. This also applies to any business associates using subcontractors.

  • Incomplete or Inaccurate Risk Analysis

An incomplete or inaccurate risk analysis has still been a prevalent issue, mainly for organizations who are underestimating their full scope and leaving out major systems. Don’t forget that the HIPAA risk analysis is a risk-based, prescriptive approach to HIPAA compliance and should be step number one for any organization working towards HIPAA compliance. KirkpatrickPrice has published numerous resources for a step-by-step approach to performing a HIPAA risk analysis.

  • Failure to Manage Risk

Once your risks have been identified, it’s important to mitigate and properly manage those risks. If there are un-addressable risks, then be sure to document those and what you will be doing to manage those risks in the meantime and fully document your remediation plan. Risk management is a critical component of any information security program.

  • Lack of Transmission Security

Encrypt everything! Any and all electronic transmission of protected health information (PHI) MUST be encrypted. No exceptions. And as always, if there is something that for whatever reason is not addressable, then it needs to be formally documented along with ways that you are able to address and mitigate that particular risk.

  • No Patching of Software

We all saw the wake of WannaCrypt in the headlines this month and how not updating critical patches can lead to a devastating loss of business and operability. WannaCrypt targeted more healthcare organizations than any other kind of organization, so don’t learn this lesson twice! Patches must be up to date, as you will become an easier target with outdated software and patching. If there is a critical piece of software that you must use that comes with outdated patches, be sure you’re documenting that and what you are doing to address any associated concerns.

  • Insider Threat

Whether your organization is small or large, it’s always important to have employee termination policies clearly defined, in place, and to ensure that you’re following them. Do you remove employee access from terminated employees? Are you using default passwords that can be easily cracked? Don’t fall victim to insider threat.

  • PHI Disposal

What good are strong administrative and technical safeguards if you’re exposing the low-hanging fruit? Improper disposal of PHI was a common issue found in the Phase 2 HIPAA audits. Make sure you’re properly disposing of PHI and don’t leave anything available for dumpster divers.

  • Lack of Incident Response Plan

Another common finding from the Phase 2 HIPAA audits is insufficient backup and contingency planning. With the risks of ransomware, we must not only be focusing on prevention but also have an Incident Response Plan tested and ready to deploy if, and when, necessary. Regular data backups also go hand-in-hand with incident response as a way to help minimize the damage from a breach or malicious attack.

Preparing for HIPAA audit enforcement may seem like an overwhelming task. Start with a risk analysis and don’t forget these common 8 findings when developing your HIPAA compliance program. If you have any questions or would like help preparing for Phase 2 HIPAA audits, contact us today.

Who must be HIPAA Compliant, and how can they prepare?

If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).

Stephanie Rodrigue Discusses Who must be HIPAA Compliant?

The OCR’s proactive supervision will hold all covered entities and business associates responsible for their own compliance with the laws. According to the Omnibus Rule, business associates are being held directly responsible for their compliance with any relevant HIPAA laws. This means that business associate compliance will be a focus of the coming Phase 2 HIPAA enforcement actions.

Covered Entities are healthcare providers such as doctors’ offices, hospitals, health plans, or healthcare clearing houses. If your business is a covered entity preparing for Phase 2 of the OCR’s HIPAA Audit Program, we recommend that you prepare through Risk Analysis, Risk Management, Breach Reporting, and Privacy Notice and Access. Phase 2 audits of covered entities will focus on:

  • Device and Media Controls
  • Transmission Security
  • Risk Analysis and Risk Management
  • Safeguards and Training on Policies and Procedures
  • Notice of Privacy Practices and Access Rights
  • Breach Notification Content and Timeliness


Business Associates
HIPAA Fines for Business Associatesare the vendors who provide services on behalf of Covered Entities. Right now, the OCR is conducting audits of business associates and assigning fines for lack of HIPAA compliance. For business associates, these audits will focus on Risk Analysis, Risk Management, and Breach Reporting to Covered Entities. If you are a business associate, we recommend that you prepare through:

  • Conducting Security Rule Risk Analysis and Risk Management
  • Reviewing Policies and Procedures related to ePHI vulnerability, accessibility, and integrity
  • Identifying all systems that include ePHI
  • Evaluating security measures to reduce risk
  • Breach Reporting (impermissible acquisition, use, access, or disclosure of ePHI)
  • Evaluating Policies and Procedures

KirkpatrickPrice can service both covered entities and business associates through:

  • Experienced Risk Analysis Practices
  • Policy and Procedure Review
  • Approach Modeled on HIPAA Audit Protocol
  • Expert Information Security Personnel
  • Web-based Portal Experience

If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Who must be HIPAA Compliant? This is a question we get asked from time to time. Up until 2009, the answer was Covered Entities, which are healthcare providers like doctors’ offices and hospitals. But when the HITECH Act passed, it expanded the oversight of the OCR to the Business Associates, which are the vendors who provide services to the Covered Entities.
Right now, the OCR is conducting audits of Business Associates and assessing fines for lack of HIPAA Compliance. If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

What HIPAA Means for Covered Entities and Business Associates

What is HIPAA? How does HIPAA apply to my business and what must I do to ensure I’m HIPAA compliant? Watch as our HIPAA Expert, Stephanie Rodrigue, walks us through the ins and outs of HIPAA and protecting ePHI for covered entities and business associates.

Stephanie Rodrigue Explains HIPAA’s Impact on Covered Entities & Business Associates

What is HIPAA?

HIPAA refers to laws that apply to covered entities and business associates regarding the privacy, security, and accessibility of electronic protected health information (ePHI). Covered entities and business associates use this information to provide services to the public such as medical care, and the filing and billing of medical claims. Covered entities include doctor’s offices, hospitals, healthcare providers, health plans, and healthcare clearing houses. Because these entities are collecting health information directly from the patient, it’s probably obvious that they are responsible for protecting ePHI.

But, there are actually many types of companies providing services such as data storage, analytics, marketing, billing, collections, and practice management that are receiving ePHI from a covered entity and are also responsible to protect ePHI under the HIPAA security and privacy rule. The HIPAA/HITECH Act is enforced by the Office for Civil Rights (OCR) through a required notification, audit, and fine program. If a covered entity or business associate does not have proper safeguards in place to protect ePHI, a breach of this information can occur and fines will be assessed and issued by the OCR.

Understanding how to protect ePHI is a critical responsibility of covered entities and business associates because HIPAA laws dictate how this private information is received, transmitted, and stored and how it is made accessible to the patient.

If you clicked on a video entitled, “What is HIPAA?” then you’re probably pretty new to this topic. So I’d like to start by defining some of the terms that you’re going to encounter. First, HIPAA is an act that was passed in 1996 and updated in 2009 with the HITECH act. And these provide the rules for the privacy and security of protected health information. Protected health information is commonly referred to by the acronym, “PHI”, and it’s the information that’s collected about the health care or payment for healthcare that can be directly linked to an individual.

Covered entities commonly collect this information. These are doctors offices, hospitals, other health care providers, health plans, and health care clearing houses.

Another group that comes into contact with PHI are the business associates and these are people or organizations that provide services on behalf of a covered entity.

I hope that this information provides a little bit of help for you. If you have more questions please feel free to contact us.