HIPAA Physical Safeguards
Section §164.310 of the Health Insurance Portability and Accountability Act describes the physical safeguards that a covered entity or business associate must employ when handling electronic protected health information (ePHI). These physical safeguards cover several areas, including facility access, use of workstations, and use and disposal of devices and media that contain ePHI.
Physical Safeguards – Facility Access Controls
Physical safeguards must be in place in any location where protected health information is stored. These safeguards must be formalized in policies and procedures which protect physical access to sensitive data. These policies must take into account the sensitivity of the data being stored, and provide measures that restrict physical access to locations that store ePHI only to those who require it for business purposes. The complete requirements are listed in the following implementation specifications:
Procedures must be established that allow necessary physical access to the facility when restoring lost data after an emergency. This restoration must take place under a formalized disaster recovery plan.
Facility Security Plan
A formalized plan must be established to protect facilities from unauthorized access.
Access Control and Validation Procedures
Access to the facility must be contingent upon the verification of an individual’s identity as well as their need for access to carry out business functions. This includes visitor control.
Any changes to the physical layout of the facility that may affect the access control policies and procedures must be documented.
Physical Safeguards – Workstation Use
For facilities where workstations are used to access ePHI, those workstations must be kept in a secure state. To this end, a covered entity or business associate must have formal policies that determine how workstations are to be used, and what physical state those workstations are to be kept in. For example, this policy could mandate that a specific workstation can only run a restricted list of programs, and that when it is in use, the user must be supervised by an administrator.
Physical Safeguards – Workstation Security
Covered entities and business associates also must implement policies that create physical safeguards to the workstations themselves. In any case where a workstation has or could have access to ePHI, there must be a formal policy in place that restricts physical access to that workstation only to those who are authorized to use it. This policy also must detail the procedure through which authorization is obtained.
Physical Safeguards – Device and Media Controls
Physical controls must also be enacted for devices and media which may house ePHI. A covered entity of business associate must have formalized policies that indicate how devices and media are handled inside of a facility in order to prevent the accidental or malicious theft or destruction of ePHI. There are four policies or procedures that a covered entity or business associate must enact to be compliant with the device and media physical controls requirement.
Procedures must be established to securely dispose of devices or media that contain ePHI when they are no longer in use.
Procedures must be established for secure and complete removal of ePHI from devices and media before they can be repurposed for other use.
The owner or party responsible for devices or media that contain ePHI must be tracked and recorded throughout the life cycle of the medium.
Data Backup and Storage
Retrievable backups of ePHI data should be created before any equipment is moved. These backups are subject to the same rules as other removable media that contain ePHI.
Changes in the 2013 HIPAA Update
The 2013 HIPAA Omnibus Rule changed the scope of the physical controls requirements to apply not only to covered entities, but also to business associates. No other changes were made in the update.