OCR: Protecting Data Involves Physical Security As Well As Cybersecurity

The OCR’s latest cybersecurity newsletter discusses the importance of physically securing devices with access to ePHI.

When it comes to HIPAA’s patient data protection requirements, hospital officials tend to focus on cybersecurity safeguards at the expense of physical security measures.

That’s the reasoning behind the latest letter from the Department of Health and Human Services’ Office for Civil Rights, which called the physical security of electronic protected health information (ePHI) an “often overlooked” component of the HIPAA Security Rule.

The HIPAA Security Rule requires healthcare entities to implement physical safeguards around any devices that have access to ePHI. This includes portable devices like laptops, smart phones and tablets.

Failing to take reasonable physical security steps has led to settlement payments for violations of the HIPAA Security Rule’s Workstation Security standard of up to $3.9 million.

“Physical security controls remain essential and often cost-effective components of an organization’s overall information security program,” the letter states.

The OCR gave cheap physical security solution examples including privacy screens and locks for devices, USB drives and CD ports. It also recommended organizations position workstation screens so that they can’t be easily viewed and keep electronic equipment in secured areas including locked rooms.

Finally, the letter gave healthcare officials seven questions to ask themselves about their organization’s physical security strategy, listed below.

  1. Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  2. Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  3. Should devices currently in public or vulnerable areas be relocated?
  4. What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  5. What additional physical security controls could be reasonably put into place?
  6. Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  7. Are signs posted reminding personnel and visitors about physical security policies or monitoring?

Overall, as each hospital undertakes compliance efforts with HIPAA’s Security rule, the OCR urged hospital officials to follow tried and true processes before instating additional ePHI physical security measures.

“What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process,” the letter states.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Zach Winn is a journalist living in the Boston area. He was previously a reporter for Wicked Local and graduated from Keene State College in 2014, earning a Bachelor’s Degree in journalism and minoring in political science.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ