The HIPAA Security Rule requires covered entities and business associates to implement physical, administrative, and technical safeguards to protect protected health information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance warning that “essential” physical security is often overlooked.
A thorough and compliant HIPAA Security Rule risk analysis must include a review of the entity’s implementation of physical safeguards. The Security Rule requires that covered entities and business associates address facility access controls, receipt and removal of devices containing ePHI, and restrict access to workstations containing ePHI to authorized users. “Workstations” include not only desktop and laptop computers, but also any other electronic media and portable electronic devices. Tablets and smartphones must be considered if they contain or can access ePHI. HIPAA permits entities to tailor physical security according to the size and complexity of the entity’s operations, but some level of physical security will always be necessary.
OCR’s recent guidance focuses on restricting access to workstations. Access controls are most commonly associated with technical safeguards like unique usernames, stringent password requirements, and tracking user activity. HIPAA also requires that entities physically protect workstations that contain or access ePHI. For example, facilities and rooms where workstations are located should be adequately secured with locks and/or other regulated entry systems. Security cameras or guards might also be appropriate for certain entities. Device locks are ideal for laptops and other small devices that can be easily removed from their location. OCR emphasizes that physical safeguards do not have to be expensive or complex – security measures can be low cost or free, and as simple as positioning workstation screens away from public areas or using privacy screens.
In the digital age, it is easy to ignore some of the simplest and most cost-efficient measures to prevent HIPAA risk and liability. OCR’s guidance makes it clear that OCR will not ignore physical safeguards in evaluating HIPAA compliance. In fact, OCR notes that several settlements for alleged HIPAA violations have involved concerns over workstation security.
OCR urges covered entities and business associates to develop a physical security strategy by (1) taking an inventory of all electronic devices, (2) evaluating the location of the devices and whether they should be relocated, (3) assessing what physical security controls are currently in place and what additional controls could be added, (4) putting policies in place and training employees on physical security, and (5) posting signs and notices as reminders about physical security. Covered entities and business associates should follow these steps and continuously monitor physical safeguards as part of a comprehensive HIPAA compliance program.