HIPAA Physical Safeguards for PHI

What Are HIPAA Physical Safeguards?

Physical safeguards are the physical measures put in place to protect a covered entity’s electronic information systems from environmental hazards and unauthorized intrusions. Physical safeguards are part of the HIPAA Security Rule.

These electronic information systems are what store electronic protected health information, or ePHI, and therefore need physical safeguards whether they are housed on the covered entity’s premises or elsewhere.

Facility access controls, workstations use and security, and device and media controls are the standards under physical safeguards [1]. All HIPAA compliant health-related entities must follow all the three types of safeguards under the HIPAA Security Rule:

  • Physical Safeguards
  • Administrative Safeguards
  • Technical Safeguards

Types of Physical Safeguards

There are three main types of HIPAA physical safeguards every entity should implement for the safety of their equipment that stores sensitive health information.

Facility Access Controls

Facility access controls include things like locks and alarms to ensure that only authorized personnel can access the facilities and systems that house PHI, like servers, computers, and files.

Covered entities must ensure that these physical safeguards are robust enough to prevent unauthorized access or intrusion while being operational enough to allow authorized members to pass through security checks.

There are four implementation specifications to address:

  • Contingency Operations – How and who will access PHI facilities during or after an emergency to restore data and ensure continued physical security.
  • Facility Security Plans – How you’ll prevent unauthorized physical access to facilities and equipment that house PHI.
  • Access Control and Validation Procedures – How you’ll limit access to only those who need it and validate the identity and authorization of those wanting to enter PHI-housing facilities.
  • Maintenance Records – Records of all maintenance done for doors, locks, codes, keys, lockers, and other hardware to upkeep the security of the facility.

Workstation Use and Security

Workstations are devices like laptops and desktop computers that hold ePHI. Workstations need to be secured to prevent unauthorized access.

Covered entities need to analyze operations to determine which devices will qualify as workstations for each one. Then, they need to establish physical safeguards for each workstation.

  • Workstation Use Standard – Determines appropriate use of workstation devices, including what and how functions can be performed.
  • Workstation Security Standard – Determines how workstations will be physically protected from unauthorized users [2].

Device and Media Controls

Covered entities must have policies in place that manage how hardware and electronic media (such as memory cards, disks, tapes, or hard drives) carrying ePHI are moved into, out of, and within the facility. The Device and Media Controls standard also dictates how electronic media will be handled, including standards for:

  • Data Backup and Storage – Establishes whether an exact copy of ePHI needs to be made before moving any equipment and how data will be stored.
  • Accountability – How you’ll maintain a record of the people responsible for moving hardware and electronic media and how these things will be moved.
  • Disposal – Addresses how you’ll make ePHI unusable or inaccessible on devices that you dispose of.
  • Reuse – Determines how you’ll remove ePHI from devices or electronic media before reusing them.

While standards for disposal and media reuse are required, data backup and storage and accountability standards are up to your organization to determine if and how they will be established [2].

Clarity eCommerce Is HIPAA-Compliant

Sign up for a free discovery session with our HIPAA development experts to find the HIPAA eCommerce solution that’s best for your business.

Related Posts

Autumn Spriggle is a Content Writer at Clarity Ventures with experience in research and content design. She stays up to date with the latest trends in the tech industry so she can write content to help people like you realize the full potential for their business.