When it comes to HIPAA’s patient data protection requirements, hospital officials tend to focus on cybersecurity safeguards at the expense of physical security measures.
That’s the reasoning behind the latest letter from the Department of Health and Human Services’ Office for Civil Rights, which called the physical security of electronic protected health information (ePHI) an “often overlooked” component of the HIPAA Security Rule.
The HIPAA Security Rule requires healthcare entities to implement physical safeguards around any devices that have access to ePHI. This includes portable devices like laptops, smart phones and tablets.
Failing to take reasonable physical security steps has led to settlement payments for violations of the HIPAA Security Rule’s Workstation Security standard of up to $3.9 million.
“Physical security controls remain essential and often cost-effective components of an organization’s overall information security program,” the letter states.
The OCR gave cheap physical security solution examples including privacy screens and locks for devices, USB drives and CD ports. It also recommended organizations position workstation screens so that they can’t be easily viewed and keep electronic equipment in secured areas including locked rooms.
Finally, the letter gave healthcare officials seven questions to ask themselves about their organization’s physical security strategy, listed below.
- Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
- Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
- Should devices currently in public or vulnerable areas be relocated?
- What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
- What additional physical security controls could be reasonably put into place?
- Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
- Are signs posted reminding personnel and visitors about physical security policies or monitoring?
Overall, as each hospital undertakes compliance efforts with HIPAA’s Security rule, the OCR urged hospital officials to follow tried and true processes before instating additional ePHI physical security measures.
“What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process,” the letter states.