The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a letter calling the HIPAA physical security safeguards for electronic protected health information (ePHI), an “often overlooked” element of the HIPAA Security Rule.
There is a common trend among health care professionals to favor cybersecurity safeguards over HIPAA physical security measures, which is the reason behind OCR’s letter. HIPAA regulation clearly outlines the kinds of Technical, Administrative, and Physical safeguards that all health care professionals must have in place.
ePHI is defined as any demographic information that can be used to identify a patient that is stored in an electronic format. Common examples of ePHI related to HIPAA physical safeguards include a patient’s name, date of birth, insurance ID number, email address, telephone number, medical record, or full facial photo stored, accessed, or transmitted in an electronic format.
HIPAA Physical Safeguards
The HIPAA Security Rule requires that all devices with access to ePHI must have HIPAA physical safeguards in place. That includes mobile devices like laptops, smart phones, and tablets that can access, store, or transmit ePHI in any way.
In the past, violations of the HIPAA Security Rule Workstation Security Standard have led to settlements and HIPAA fines ranging from $250,000 to $3.9 million. HIPAA violations and their associated fines are often caused by health care professionals failing to take reasonable steps the address their HIPAA physical safeguards.
“Physical security controls remain essential and often cost-effective components of an organization’s overall information security program,” the letter states.
Privacy screens, device locks, encrypted USB drives, and protected CD ports are some of the cost-effective options that OCR recommends for HIPAA physical security safeguards. OCR also recommends that workstation screens be positioned so that unauthorized individuals cannot easily view them. Additionally, electronic hardware that stores or accesses ePHI such as servers should be kept in secure areas or locked rooms with minimal, role-based access.
The letter advises healthcare officials to consider the following questions when implementing their organization’s HIPAA physical security safeguards:
- Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
- Are any devices located in public areas or areas that are vulnerable to theft, unauthorized use, or unauthorized viewing
- Should devices currently in public or vulnerable areas be relocated?
- What HIPAA physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
- What additional HIPAA physical security controls can be reasonably put into place?
- Are policies in place and are employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
- Are signs posted reminding personnel and visitors about HIPAA physical security policies or monitoring?
OCR’s new guidance urges hospital officials to consider proven methods when taking steps toward compliance with the HIPAA Security Rule before using, purchasing, or implementing additional ePHI physical security measures.
“What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process,” the letter states.