Physical security safeguards are a necessary measure if you’re to protect your client’s privacy. If you are in the health/medical services industry, this can’t be stressed enough. So, what is the purpose of physical security safeguards relating to HIPAA and why is it important?

The year 2019 recorded the highest number of data breaches involving healthcare information. This figure is rising as has been the case in previous years since 2009.

To avoid being a victim, you should fully implement the best security for small businesses.

Here’s what you can expect in this article:

  • What are HIPAA physical safeguards
  • What is the purpose of physical security safeguards and why is it important?
  • Types

1What are HIPAA physical safeguards?

They include a raft of physical measures, policies, and procedures. These protect Electronic Health Information (EPHI), as well as electronic information systems in covered entities.

2What is it for and why is it important?

HIPAA physical security safeguards ensure the security and integrity of electronic Protected Health Information (EPHI).

All covered entities i.e. health service providers & related services require to be HIPAA compliant.

As a service provider/business, failure to comply will not only land you in trouble with the authorities. It can result in your business’s reputation being tarnished in case of a security breach.

3Facility access controls

Other than just granting or limiting access to your premises, facility access controls play a much bigger role. Especially as it relates to securing your premises and data stored there. But what is it in the first place?

There are 3 types of access controls:

  • Discretionary Access Control
  • Mandatory Access Control
  • Role-Based Access Control

Whichever option you choose to go with, to fully comply with HIPAA physical safeguards requirements, you must observe the following.

Contingency Operation

What do you do when faced by an event beyond control? In most cases, nothing. You just pray for the best, prepare for the worst. But this shouldn’t be the case for you.

What is the purpose of physical security safeguards? Part of your physical safeguard measures should provide for offsite backup centers for your EPHI. Power backups to deal with power surges/blackouts and how to secure the offsite backup facilities with your data.

Whatever happens, be it floods, breach of the facility or even fires and power surges, the security and integrity of EPHI in your facility must be ensured.

Facility Security Plan

A facility security plan is a comprehensive report detailing the measures you will take to ensure the security and integrity of the facility and data stored.

The facility security plan should include all known security threats and vulnerabilities. This includes measures in place to deal with them, as well as details of your security team and all employees in the facility.

You must first conduct a risk assessment to know all possible risks and vulnerabilities your facility may have.

Access control and Validation Procedure

This is an addition to the facility’s security plan.

In ensuring the security of your facility, you must have a way of limiting access to only authorized individuals. To do this, you should be able to correctly identify and authenticate information on everyone accessing your facility.

This can be in the form of issuing keys to employees if you go for the key option. Authorized personnel can use commercial key fob door entry systems, RFID cards, biometrics to access the facility in addition to photo IDs for visual verification.

The best thing about most modern access controls is each user generates logs each time they access the facility or resources (i.e. workstations) within the facility. So in the event of a security breach, you can always make use of audit trails in finding possible culprits.

Regarding compliance with HIPAA requirements, this should not only apply to the physical security of the facility, but also on technical and policy issues. This includes all employees have to use their key fobs or biometrics when accessing EPHI, or even installing software to prevent the transfer of data.

Maintenance records

Primarily, this involves a detailed account of any changes or servicing/repair works to the security system components. Additionally, the individuals / entities contracted to do the work.

It should also include a list of all employees in the facility, as well as their designations.

You can then use the maintenance records as proof of your compliance with HIPAA security safeguards requirements.

4Workstation use

According to HIPAA requirements, you should implement policies and procedures that specify the proper functions to be performed. This includes how to perform those functions and the physical attributes of the surroundings of a specific workstation or class of workstation that can access Electronic Protected Health Information (EPHI).

That seems like a lot.

Simply, you should have a raft of policies and procedures regarding how you use workstations in your facility. This includes who gets to access your workstations, as well as a bit of proper planning on how to install the various workstations, i.e. all monitors should be facing away from public view, or setting the workstations to log out after a short period of inactivity.

However, you implement this, the overall objective is to secure EPHI within your facility.

5Workstation security

As a “protected entity” you require physical safeguards in place for all workstations in your facility.

The term “workstation” refers to any device, i.e. desktop computer, laptop, tablets, etc. that is/can be used to access Electronic Protected Health Information (EPHI).

In compliance with this requirement, this means having a sound and robust access control component in your security system. This means the use of biometrics, key fobs, etc. to secure your facility as well as in authorizing the use of workstations.

This takes the form of policies such as prohibiting employees to enter the facility with portable storage devices or in extreme cases where confidentiality is prioritized, the use of smartphones may be prohibited in the facility with EPHI.

6Device and media controls

Disposal (Required)

According to HIPAA specifications, as a firm you need to implement policies and procedures to address the final disposition of Electronic Protected Health Information (EPHI) and/or the hardware or electronic media on which it is stored.

What does this mean?

You must destroy all EPHI that may be on hardware or electronic media used for storage in such a manner that it cannot be accessed, before you dispose of the equipment.

If the EPHI records happen to be on paper, you can either burn, shred or even pulp the papers. All EPHI records need to be destroyed and cannot be accessed.

Media re-use (Required)

Before re-using any electronic media, be it repurposing to other departments or selling them, you must have a policy in place to remove or destroy all EPHI records in the electronic media.

Accountability (Addressable)

You should always keep a record of all your firm’s electronic media and hardware. Record when and how they are moved between departments as well as a detailed of all employees/individuals assigned with each electronic media and hardware.

Data backup and storage (Addressable)

To deal with unforeseen risks, you should create an exact copy of EPHI in your facility and when necessary, be able to retrieve the copy and restore the data that may be lost.

The offsite data-backup center must be properly secured as the main facility to prevent unauthorized access to EPHI

7Conclusion

Knowing what is the purpose of physical security safeguards and knowing how to mitigate the risks around it, is highly important.

Now that you know what it is and the reason for it, why don’t you try being compliant with HIPAA regulations?

As for the requirements designated as “required”, this means the regulation must be enforced.

As for the “addressable” designation, this implies a firm has the flexibility to either apply the requirement, and if it sees fit, the firm may choose not to implement it.