The 4 Standards for HIPAA’s Physical Safeguards

HIPAA’s definition on Physical Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” HHS.gov

Standard #1: Facility Access Control limits the physical access one has to ePHI and where it is housed.

  • Establish Contingency Operations to maintain physical security and appropriate access in the event of disaster or emergency.
  • Create a Facility Security Plan documenting the safeguards protecting the facility and ePHI from unauthorized physical actions
  • Have Access Control and Validation Procedures to control and validate a person’s access based on their role or function
  • Keep Maintenance Records to record any physical changes to security (including, but not limited to repairs and removals)

Standard #2: Workstation Use and permissive behavior of such must be addressed and documented. This helps Covered Entities ensure their employees’ workstations are physically and virtually safe.

Standard #3: Workstation Security must also be addressed to specify how the workstation will be physically protected from unauthorized users.

Standard #4: Device and Media Controls require that any item storing electronic information must be properly handled, documented, saved, disposed and accounted for. Specifications include:

  • Disposal – Address procedures on how to properly dispose or destroy devices bearing ePHI.
  • Media Re-Use – Make sure that ePHI is completely removed before using for another purpose.
  • Accountability – Keep documentation on the hardware’s whereabouts and information identifying the one responsible.
  • Maintain Data Backup and Storage because updated and accurate ePHI must be accessible on demand.

This sums up another 17 pages or 1/3rd of the HIPAA Security Rule!