The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information systems. The safeguards are focused on protecting electronic information systems and related buildings and equipment from natural hazards, environmental hazards, and unauthorized intrusion.
The first standard under physical safeguards is Facility and Access Controls. This standard focuses on implementing policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. This standard is comprised of 4 addressable standards: Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records
Each of the addressable specifications under Facility and Access Controls require policies and procedures to be created and implemented. The first specification is Contingency Operations which requires a covered entity to establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. The Facility Security Plan is intended to have covered entities create and implement policies and procedures that document physical access controls, meaning only people with a legitimate business reason can access certain areas of the facility. Some simple controls can be locked doors, surveillance cameras, controls tags, ID badges, and visitor badges. The next specification is Access Control and Validation Procedures and requires covered entities to create a procedure that will validate a person s need to access a specific area of the physical space as well as access to software systems. In general, you need to align a person s access to their role and job responsibilities. The last specification under Facility and Access Controls is Maintenance Records. This specification requires a covered entity to create and implement policies and procedures that document repairs and modifications to the physical components of a facility that relate to security.
The next standard under Physical Safeguards is Workstation Use. Under the HIPAA Security Rule, a workstation is defined as an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. This standard doesn t have any specifications. The standard requires a covered entity to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. Some requirements for the Workstation Use standard are Assure that policies and procedures that define and set business needs of physical work stations include information regarding security of ephi. Assure that policies and procedures include all employees with workstations, including those that work from home, work in satellite offices, or work in another facility. Review and implement additional security measures such as placement of workstation for minimal viewing, enable password protected screen savers, and define log-off procedures for workstations.
To complement the Workstation Use standard, the next standard is Workstation Security. This standard requires covered entities to implement physical safeguards for all workstations that access ephi, to restrict access to unauthorized viewers. Requirements for this standard include: Defining how workstations should be physically protected for unauthorized users Based on the use of specific workstations, facility may chose to restrict or minimize physical access to a workstation If needed, complete a risk assessment to determine the risks and best mitigations for workstation security
The next standard under the HIPAA Security Rule is Device and Media Controls. This standard requires a covered entity to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi, into and out of a facility, and the movement of these items within the facility. This standard is made up of 2 required standards and 2 addressable standards. The required standards are media disposal and media re-use and the two addressable standards are accountability and data backup and storage.
Taking a look at each of the specifications under Device and Media Controls, the first of the required standards is disposal. This specification requires a covered entity to create a policy and procedure to address the final disposition of ephi, and/or the hardware or electronic media where it is stored. The next required standard of media re-use, again, requires a covered entity to establish a policy and procedure to address the removal of ephi from electronic media before the media are made available for re-use. The first addressable specification is accountability, which requires a covered entity to maintain a record of the movement of hardware and electronic media and any person responsible. This should be addressed in a policy and procedure. The other addressable standard is data backup and storage. This requirement differs from the data back up and storage of ephl in the administrative safeguards. It is focused on creating a retrievable, exact copy of ephi before movement of equipment. This should also be addressed in a policy and procedure.
Here are some recommendations to support the device and medical controls policies and procedures Maintain a record of the movements of hardware and electronic media and the person(s) responsible for computer surplus and reconfiguration activities. Prior to destruction of items, the retention period should be verified and the Privacy & Security Official(s) notified of the plans to destroy the documents. Destroy media (paper, fiche, floppies, CDs, etc.) that contain PHI using one of the following acceptable methods of destruction: crosscut shredding, burning, pulping or pulverizing. Maintain a Destruction Log to identify the individual records and Designated Record Set (DRS) destroyed. If a commercial destruction company is used, a Certificate of Destruction must be provided by the company for each load or destruction session. Attach this certificate to the Destruction Log as verification of the process.