HIPAA Security Physical Safeguards

A couple of days back I was teaching a HIPAA Seminar to a group of professionals. As expected, I started with the Administrative Standard followed by the Technical Standards leaving the Physical Security Standards towards the end. I didn’t think anything about it until one of the attendees brought it to my attention.

Reality is that I’m not alone as it relates to HIPAA Security priorities and allocation of resources. Based on my research I came to realize that most entities put most of their emphasizes on the Administrative and Technical Standards and then may cover the Technical Standard s on a time available basis. This particular issue of underestimating the HIPAA Security Physical Standards has not gone unnoticed and was referred to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) in their May 2018 Cybersecurity Newsletter. Specifically speaking, they refer to the topic of Physical Security as “an important component of the HIPAA Security Rule that is often overlooked.”

Sad to say, HIPAA Security Physical Safeguards requirements are pretty much straightforward yet failure to follow the same has already resulted in settlement and fines ranging from $250,000 to $3.9 million dollars.

For those that are wondering, HIPAA Security Physical Safeguards focuses on ensuring that all devices with access to ePHI have physical security in place. In a dissertation by Seymour E. Goodman and Herbert S. Lin of the Committee on Improving Cybersecurity Research in the United States, they wrote:

 “….the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one…”

Therefore, an interpretation of the HIPAA Security Physical Safeguards could be the actions and activities within the facility designed to allow access to authorized users while simultaneously denying access and protecting information from unauthorized users.

Simple to say although not as simple to execute. The key of the matter is that Covered Entities and Business Associate must come up with a plan and approach to implement an effective strategy that protects their assets and information. While there are many options as to how to move forward, it is our opinion that most entities will benefit by using OCR’s guidance questions in this subject:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • What additional physical security controls could be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

In summary, be proactive, protect your assets from unauthorized individuals, and make sure you are not only aware but also compliant with HIPAA Security Physical Safeguards.