The HIPAA Security Rule requires that business associates and covered entities have physical safeguards and controls in place to protect electronic Protected Health Information (ePHI). These safeguards provide a set of rules and guidelines that focus solely on the physical access to ePHI.
What are Physical Safeguards?
According to the Security Rule, physical safeguards are, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” Each organization’s physical safeguards may be different, and should be derived based on the results of the HIPAA risk analysis.
There are four standards included in the physical safeguards. These include:
- Facility Access Controls – These policies and procedures should limit physical access to all ePHI to that which is only necessary and authorized. Some common controls include things like locked doors, signs labeling restricted areas, surveillance cameras, onsite security guards, and alarms. Personnel controls could include ID badges and visitor badges.
- Workstation Use – Workstation use covers appropriate use of workstations, such as desktops or laptops. These policies and procedures should specify the proper functions that should be performed on workstations, how they should be performed, and physical workstation security.
- Workstation Security – Workstation security is necessary to restrict access to unauthorized users.
- Device and Media Controls – Device and media controls are policies and procedures that govern how hardware and electronic media that contains ePHI enters or exits the facility. These controls must include disposal, media reuse, accountability, and data backup and storage.
In order for organizations to satisfy this requirement, they must demonstrate that they have the appropriate physical safeguards in place and that they are operating effectively. For more help with determining whether your organization has the proper controls in place, contact us today.
The Security Rule requires that you have physical controls in place to protect PHI. This is going to look different for every organization, so it’s important that you go back to your risk analysis to understand which physical controls are appropriate for your organization.
When we talk about physical controls, some of it’s really simple, like having a lock on your server room door or having security cameras or a security guard onsite. We’re talking about prevention of the physical removal of PHI from your facility. In order to be compliant in this area, you’re going to have to be able to provide evidence that your controls are in place and operating effectively.