A Quick Guide to HIPAA Physical Safeguards

The Security Rule was enacted to enforce certain safeguards to regulate how PHI should be secured. Also known as Technical, Administrative, and Physical Safeguards, this subsection under The Security Rule provides structural guidance for HIPAA covered entities. They must comply with these safeguards to protect sensitive health data. 

There are three rules outlined under HIPAA: The Privacy Rule, The Security Rule, and The Breach Notification Rule. Each of these rules has been uniquely structured to ensure that confidential information is properly secured. 

In 1996, The Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The purpose of HIPAA is to give patient’s positive control over how their medical information is used and distributed.

HIPAA laws only apply to Covered Entities (CEs) and their Business Associates (BAs). A CE is a provider, health plan, or any other type of healthcare organization that handles Protected Health Information (PHI). Any healthcare organization that has created, received, or transmitted PHI must be HIPAA compliant.

A BA, on the other hand, is a third party entity affiliated with a CE. They are not a healthcare organization, but do typically provide a service on their behalf. As a result, a BA usually comes into contact with PHI. Furthermore, both parties are legally required to maintain HIPAA compliance. 

The Security Rule

Before HIPAA, security standards for PHI did not exist. During this time, however, a technological boom was taking place. At the turn of the millennium, new technologies were being developed everyday. While this did make life undoubtedly more convenient, it did come with security risks.

Cell phones and laptops, for example, became essential for everyday communication, especially for those in the healthcare industry. Both devices were far more effective and efficient in conducting business, connecting with friends, and much more. However, as healthcare entities began to take advantage of these technologies, their patient’s health data would start to suffer. 

As a result, HIPAA laws were enacted to combat potential security threats. Under HIPAA, certain rules were established to keep PHI safe from a data breach. 

While each rule possessed a distinct purpose, The Security Rule was enacted specifically to regulate how electronic Protected Health Information (ePHI) should be secured. 

A subsection of safeguards are outlined under HIPAA’s Security Rule to assist healthcare entities in safeguarding ePHI. They are known as the Technical, Administrative, and Physical Safeguards of HIPAA. The first step toward Security Rule compliance is to follow these safeguards.

Physical Safeguards are…

The Security Rule requires that a CE implement Physical Safeguards to protect the integrity of confidential information.

Physical Safeguards are, as the name suggests, policies and procedures to protect a HIPAA covered entities physical assets. This can include their buildings, equipment, electronic information systems, or any other modality used to store, receive, or transmit ePHI. Further, the purpose of Physical Safeguards is to control who has access to PHI, and how that access is managed. 

Examples of Physical Safeguards

Physical Safeguards outline physical measures that HIPAA covered entities must follow in order to protect private medical information. Therefore, facilities that handle ePHI need to have the following implemented in order to keep their assets properly safeguarded.

Facility Access Controls…

…Steps a CE needs to follow to protect their building from unauthorized access.

1. Contingency Operations are physical security measures for data restoration. Authorized personnel must follow these plans in the event of a emergency situation or disaster.
2. Facility Security Plan is in place to protect the physical building and equipment in which data is stored. Thus, a protocol to document access controls must be followed in order to prevent unauthorized access to ePHI 
3. Access Control and Validation Procedures are measures a CE will use to determine who should have authorized access to ePHI. Therefore, the CE decides how strict the security procedures should be. This will be based on the size of the healthcare organization.
4. Maintenance Records require that a CE document any physical repairs made to the building that pertain to data security, i.e. repairs to hardware, doors, walls, or locks.  

 

Device and Media Controls…

…Standards for recording and removing electronic media that contains PHI. 

1. Disposal implements steps a CE must take to properly get rid of PHI. As such, once the data has been erased, it should be inaccessible and unusable in any capacity afterwards. 
2. Media Re-Use is a policy in place for a CE who wants to re-purpose media instead of destroying it. While this can be done internally or externally, a strict protocol must be followed. As such, ePHI must be stripped of any identifiable factors (i.e. a patient’s name, DOB, SSN, etc.) before the media is available for re-use. 
3. Data Backup and Storage is similar to policies outlined under HIPAA’s Administrative Safeguards. This specifically protects data while it is being moved from one hard drive to another. Moreover, these policies require that copies are made of health data in case it is damaged during transit. Before the original data is moved off of the equipment, an exact and retrievable copy needs to be made. 

 

Workstation Controls…

… Includes Workstation Use and Workstation Controls. This is a set of standards in place to oversee how the workplace should be controlled. Ultimately, the goal is to protect confidential data from unauthorized access.  

1. Workstation Use regulates how electronic devices are used in the workplace. Visiting unprotected websites or clicking into suspicious links, for example, can increase security threats. As such, any devices used to store, maintain, or transmit ePHI should be strictly monitored in the workplace.
2. Workstation Security physically protects healthcare organizations from unauthorized access. A CE must implement appropriate physical safeguards to minimize security threats and secure ePHI. For example, keeping data in a room with restricted access can prevent unauthorized personnel from obtaining confidential information. 

 

Why are Physical Safeguards Important?

Physical Safeguards are a crucial subsection of HIPAA’s Security Rule. They are enforced by The Department of Health and Human Services (HHS) to minimize the risk of a physical data breach.

Physical Safeguards differ from Technical or Administrative Safeguards. Technical Safeguards maintain the integrity of data stored electronically, while Administrative Safeguards implement workplace policies for proper data storage. Physical Safeguards, on the other hand, protect the buildings and equipment that store PHI. 

Without Physical Safeguards, there would be no policies in place to regulate who or what can physically access sensitive information. Physical Safeguards are important because they provide clear and direct guidance for HIPAA covered entities that handle PHI.