HIPAA Security and the Physical Safeguards

By Jay Masci, PMP

Jay Masci, PMP

In the last article, we went through the final administrative safeguards. Now we are moving on to physical safeguards. As you may remember from a previous article in The O&P EDGE, the Security Rule standards consist of four categories: administrative safeguards, physical safeguards, technical safeguards, and organizational safeguards.

Physical Safeguards

The physical safeguards define security measures to protect a covered entity's electronic information systems and related building and equipment, hazards, and unauthorized intrusion.

1. Facility Access Controls Standard

Contingency operations (Addressable)

Implementation specification: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

What it means to your organization: This defines the processes that will control access to the facility when executing the contingency plans for your organization that were created as part of the administrative safeguards. These physical policies and procedures will more than likely be included within the contingency plans.

Facility security plan (Addressable)

Implementation specification: Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

What it means to your organization: You, as the covered entity, retain responsibility for facility security even where you share a building with other organizations. In this case you may want to consider the facility security measures taken by the third party and document these within your facility security plan when appropriate.

Access control and validation procedures (Addressable)

Implementation specification: Implement procedures to control and validate a person's access to facilities based on his/her role or function, including visitor control and control of access to software programs for testing and revision.

What it means to your organization: Exactly as it states, you must implement procedures to validate that a person is allowed to have access and what controls will be put in place to limit his/her access.

Maintenance records (Addressable)

Implementation specification: Implement policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security.

What it means to your organization: Example of maintenance records that should be documented include those for hardware, walls, doors, and locks.

2. Workstation Use Standard (Required)

Implementation specification: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information (PHI).

What it means to your organization: Basically your organization will need to document policies and procedures for items such as logging off before leaving a workstation unattended, not leaving your password out in plain view, and letting someone else use your workstation login and password. You should also note that the term "workstation" means any electronic computing device, such as a desktop computer, laptop, PDA, etc.

3. Workstation Security Standard (Required)

Implementation specification: Implement physical safeguards for all workstations that access electronic PHI, in order to restrict access to authorized users.

What it means to your organization: Safeguards may include placing the workstation in a more secure location or removing media drives where electronic PHI could be copied to a "removable media" and taken out of the workplace.

4. Device and Media Controls Standard

Disposal (Required)

Implementation specification: Implement policies and procedures to address the final disposition of electronic PHI, and/or the hardware or electronic media on which it is stored.

What it means to your organization: Often organizations give computers to their employees, schools, etc., once they have depreciated and are no longer useful to the organization. Your company must document how you will ensure that all electronic PHI is removed from the device or media when disposing of it. Be careful, because even deleting the files or records does not remove them completely from the device; often they can still be recovered.

Media re-use (Required)

Implementation specification: Implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.

What it means to your organization: This standard is very similar to disposal, except for the fact that you are reallocating the media within your organization, and it may contain electronic PHI that the new department should not have access to. So again, you must implement procedures to remove the electronic PHI before re-using the media.

Accountability (Addressable)

Implementation specification: Maintain a record of the movements of hardware and electronic media and any person responsible for them.

What it means to your organization: You must track removable media such as floppy disks, CD-ROMs, diskettes, hard drives, and other media or hardware that contains electronic PHI. This standard also includes tracking everything you dispose of or re-use. The purpose is to prevent malicious copying of electronic PHI that can be removed from your organization as well as to track the rare instances that an organization needs to put PHI on removable media to share with an authorized person.

Data backup and storage (Addressable)

Implementation specification: Create a retrievable, exact copy of electronic PHI, when needed, before movement of equipment.

What it means to your organization: Think of this as a mini disaster recovery plan in case the equipment is damaged while moving. You need a backup of the electronic PHI that can be restored.

In the next article, we will look at the technical safeguard standards in detail and how each one will affect your O&P organization.

While all information in this article is believed to be correct at the time of writing, this article is informational only and does not constitute the rendering of legal, financial, or other professional advice or recommendations by Provaliant or individual members. If you require legal advice, you should consult an attorney.

Jay Masci is the principal consultant of Provaliant, a company providing IT consulting services, including HIPAA compliance and customized training. Visit  www.provaliant.com or contact Provaliant at 480.952.0656.

	HIPAA Security and the Organizational Safeguards - April 2004 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 2 - October 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 1 - August 2003
	HIPAA and the Business Associate Puzzle - July 2003 Exclusively Online
	HIPAA Security – Required or Addressable - July 2003 DC Direct
	Here Comes HIPAA Security - May 2003 DC Direct
	HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003 So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct
	HIPAA Privacy: Are You Ready to Comply? - March 2003 Exclusively Online

Table Of Contents - November 2003

	Parry Back in the Game: An Amputee Triumphs Sports Page
	Research: Getting to the Next Level What will be the state of orthotic and prosthetic research five years from now? What will help take the profession to the next level? Some leading educators offer their insights. Feature
	Plastazote: Pratitioners' Choice for Diabetic Orthotics Feature
	P-Cell: What Does Independent Testing Show Feature
	HIPAA Security and the Physical Safeguards DC Direct
	Academy, St. Petersburg College Partner for New O&P School Education Outlook
	Designing Foot Orthotics Stepping Out
	Got FAQs? Got FAQs?
	How Could We Not? Ohio Willow Wood Introduces Pediatric Components Innovations
	Gyanendra C. Shrestha, Prothetist/Orthotist, Orthopedica Kathmandu, Nepal Profiles
	What is YOUR Mission? Perspective
	From the Editor Viewpoints