1 The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information systems. The safeguards are focused on protecting electronic information systems and related buildings and equipment from natural hazards, environmental hazards, and unauthorized intrusion.
2 The first standard under physical safeguards is Facility and Access Controls. This standard focuses on implementing policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. This standard is comprised of 4 addressable standards: Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records
3 Each of the addressable specifications under Facility and Access Controls require policies and procedures to be created and implemented. The first specification is Contingency Operations which requires a covered entity to establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. The Facility Security Plan is intended to have covered entities create and implement policies and procedures that document physical access controls, meaning only people with a legitimate business reason can access certain areas of the facility. Some simple controls can be locked doors, surveillance cameras, controls tags, ID badges, and visitor badges. The next specification is Access Control and Validation Procedures and requires covered entities to create a procedure that will validate a person s need to access a specific area of the physical space as well as access to software systems. In general, you need to align a person s access to their role and job responsibilities. The last specification under Facility and Access Controls is Maintenance Records. This specification requires a covered entity to create and implement policies and procedures that document repairs and modifications to the physical components of a facility that relate to security.
4 The next standard under Physical Safeguards is Workstation Use. Under the HIPAA Security Rule, a workstation is defined as an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. This standard doesn t have any specifications. The standard requires a covered entity to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. Some requirements for the Workstation Use standard are Assure that policies and procedures that define and set business needs of physical work stations include information regarding security of ephi. Assure that policies and procedures include all employees with workstations, including those that work from home, work in satellite offices, or work in another facility. Review and implement additional security measures such as placement of workstation for minimal viewing, enable password protected screen savers, and define log-off procedures for workstations.
5 To complement the Workstation Use standard, the next standard is Workstation Security. This standard requires covered entities to implement physical safeguards for all workstations that access ephi, to restrict access to unauthorized viewers. Requirements for this standard include: Defining how workstations should be physically protected for unauthorized users Based on the use of specific workstations, facility may chose to restrict or minimize physical access to a workstation If needed, complete a risk assessment to determine the risks and best mitigations for workstation security
6 The next standard under the HIPAA Security Rule is Device and Media Controls. This standard requires a covered entity to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi, into and out of a facility, and the movement of these items within the facility. This standard is made up of 2 required standards and 2 addressable standards. The required standards are media disposal and media re-use and the two addressable standards are accountability and data backup and storage.
7 Taking a look at each of the specifications under Device and Media Controls, the first of the required standards is disposal. This specification requires a covered entity to create a policy and procedure to address the final disposition of ephi, and/or the hardware or electronic media where it is stored. The next required standard of media re-use, again, requires a covered entity to establish a policy and procedure to address the removal of ephi from electronic media before the media are made available for re-use. The first addressable specification is accountability, which requires a covered entity to maintain a record of the movement of hardware and electronic media and any person responsible. This should be addressed in a policy and procedure. The other addressable standard is data backup and storage. This requirement differs from the data back up and storage of ephl in the administrative safeguards. It is focused on creating a retrievable, exact copy of ephi before movement of equipment. This should also be addressed in a policy and procedure.
8 Here are some recommendations to support the device and medical controls policies and procedures Maintain a record of the movements of hardware and electronic media and the person(s) responsible for computer surplus and reconfiguration activities. Prior to destruction of items, the retention period should be verified and the Privacy & Security Official(s) notified of the plans to destroy the documents. Destroy media (paper, fiche, floppies, CDs, etc.) that contain PHI using one of the following acceptable methods of destruction: crosscut shredding, burning, pulping or pulverizing. Maintain a Destruction Log to identify the individual records and Designated Record Set (DRS) destroyed. If a commercial destruction company is used, a Certificate of Destruction must be provided by the company for each load or destruction session. Attach this certificate to the Destruction Log as verification of the process.
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS Brian Brown Danny Tijerina RenewData, an LDiscovery Company Austin, TX Introduction Maintaining compliance with government regulations
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
Oracle WebCenter Content 21 CFR Part 11 Certification Kim Hutchings US Data Management Phone: 888-231-0816 Email: email@example.com Introduction In May 2011, US Data Management (USDM) was
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
Information Security Policy The purpose of this Policy is to describe the procedures and processes in place to ensure the secure and safe use of the federation s network and its resources and to protect
Music Recording Studio Security Program Security Assessment Version 1.1 DOCUMENTATION, RISK MANAGEMENT AND COMPLIANCE PERSONNEL AND RESOURCES ASSET MANAGEMENT PHYSICAL SECURITY IT SECURITY TRAINING AND
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS, and Patti Firouzan, MS, RHIA Department of Health Information
CSCI 1800: Cybersecurity and International Relations Mid Semester Project Electronic Medical Records Due: Friday, April 10th 2015 11:59 PM, CIT 2nd Floor Hand in Introduction While most individuals are
Managing Mobile Device Security Kathy Downing, MA, RHIA, CHPS, PMP AHIMA Director Practice Excellence Objectives Understand how HIPAA and HITECH apply to mobile devices. Understand the oversight needed
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
2014 WorldEscrow N.V./S.A. SECURITY POLICIES AND PROCEDURES This document describes internal security rules within the WorldEscrow N.V./S.A. organization. Content 1) Employee Responsibilities... 1 2) Use
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Poplar Street Primary School ICT Security and Acceptable Use Policy E-Safety policy 2013/14 Working Together Aiming High! 1 Contents 1. Introduction... 3 2. Policy Objectives... 3 3. Application... 3 4.
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
(ITSP-1) SECURITY MANAGEMENT 1A. Policy Statement District management and IT staff will plan, deploy and monitor IT security mechanisms, policies, procedures, and technologies necessary to prevent disclosure,
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
IAPE STANDARDS SECTION 16 DIGITAL EVIDENCE IAPE STANDARD SECTION 16.1 DIGITAL EVIDENCE Standard: Digital evidence is a critical element of modern criminal investigation that should be maintained in strict
Federal Trade Commission Privacy Impact Assessment Mobile Device Management System February 2015 1 1. Overview The FTC Mobile Device Management (MDM) System includes three separate components that provide
White Paper EMR Infrastructure Readiness Kathleen Gaffney June, 2012 Introduction An often-overlooked aspect to implementing an Electronic Medical Record (EMR) system is the need for a solid, medical-grade
The Ministry of Information & Communication Technology MICT Document Reference: ISGSN2012-10-01-Ver 1.0 Published Date: March 2014 1 P a g e Table of Contents Table of Contents... 2 Definitions... 3 1.