HIPAA Physical Safeguards Require More than Most CEs and BAs Think

Here is one of the many questions we receive from our free monthly Privacy Professor Tips awareness publication readers, LinkedIn connections, and our Data Security and Privacy with the Privacy Professor radio/podcast show listeners.

We provided a short answer to it within the January 2024 Tips. However, we wanted to expand upon that information within a blog post. Here is the question:

We have a medium-sized hospital, with seven clinics, telehealth and mobile (including home visits) healthcare services. Different vendors are giving us conflicting information about the requirements for HIPAA physical safeguards. Some vendors have told us that physical safeguards only apply to using locks and cameras on our hospital building. Others said other things. Can you help us understand what HIPAA actually requires to meet their physical safeguard requirements?

Sure! Happy to help.

Under HIPAA, physical safeguards apply to four areas, throughout the full protected health information (PHI) lifecycle (from collection/creation through all areas where the PHI is accessed and stored, through to when it is destroyed, including not only within the business environments of covered entities (CEs), but also within all the environments of business associates (BAs). These four areas include the following.

1. Facility access controls. The “facility” includes your hospital and clinic buildings and associated property and structures along with your BAs’ facilities and associated property and structures; your mobile vehicles (e.g., vans, trailers, etc.); and any other location (e.g., employees with home offices, the patient home case areas while treatment is being provided, etc.) where PHI is located and from where PHI is accessed. The HIPAA requirements for physical access controls within these diverse, and sometime temporary, facilities include the following based upon risk levels for each:

• Contingency operations. The physical security for areas where work occurs when a work stoppage, emergency or disaster has caused business operations to be moved elsewhere, during response and restoration activities. This includes physical access into the areas where work is being performed. During this time, CEs and BAs must maintain physical security and limit access to PHI to only those authorized while restoration activities are being performed. Examples of such physical security actions include but are not limited to:

• Securing the paper and digital storage media that contain or could provide access to PHI in any form

• Ensuring telehealth images and audio is not physically accessible during treatments, nor on the media where any recordings are stored

• Restricting physical access to viewing the screens on, and using the keyboards of, computing devices that provide access of any kind to PHI

• Limiting the ability for unauthorized individuals, as well as listening devices (e.g., digital assistants like Amazon Echoes and Google Homes), from hearing communications about patients and insureds

• Limiting all other types of physical access that could lead to unauthorized access to PHI in any form, based upon each CE’s unique business environments, wherever work is performed; within business facilities and in other locations such as employee homes, in BAs’ work areas, while traveling, etc.

• Training all personnel who would be involved with the above activities

• Facility security plan. These are the policies and procedures documenting the physical safeguards for all types of access to and associated media for PHI. These include for:

• All the types of physical access to all types of media, visual and audible access to PHI

• All the computing and digital storage equipment, including servers, IoT products, and any other types of devices

• Giving and removing access to such physical locations, environments and computing and storage equipment, including employee-owned that are used to support business activities

• Documentation about controls to prevent tampering and theft, such as locked doors, signs, barriers, surveillance cameras, property control tags, identification badges, escorts, security guards, etc.

• Training all personnel who would be involved with the above activities

• Access control and validation procedures. These are policies and procedures to control and validate each individual’s access to and within facilities and associated work areas based on their roles and work responsibilities. The topics that need to be covered include:

• Visitor controls in and out of the facilities, and to sensitive or access-restricted locations (e.g., computer operations)

• Controlling the use of software brought into the facilities for testing, software updates, vulnerability assessments, penetration testing, audits, etc.

• Controls that ensure each individual’s access to information is based upon their role, position function and job responsibilities within the organization

• Identity verification (e.g., photo badges/IDs) in larger organizations where all employees are not known to all others

• Management review of those with access to facilities and restricted access areas

• Maintenance records. Policies, procedures and supporting documentation for all types of facility security repairs and modifications (e.g., changing access security codes and locks) and regularly checking the maintenance records and installing new security hardware and products. Such documentation will vary for the type and size of facilities. For example, a small clinic with just a few employees will require different types of policies, procedures and documents (e.g., sign-in logs) than large multi-location hospital systems. Also training all personnel who would be involved with the above activities.

2. Workstation use. A workstation is defined by HIPAA as, “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” So, any type of computing device and product components, owned by the organization or workers. HIPAA requires each CE and BA to specify the proper functions to be performed by all the computing devices. However, like all standards, each CE and BA must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access PHI. Physical risks for workstations and associated work areas need to be determined, and appropriate controls implemented to mitigate the risks. Examples of risks include, but are not limited to, inappropriate use of computer workstations that could expose a CE to risks, such a virus attacks, compromise of information systems, breaches of confidentiality, theft of components. All needed physical security controls need to be covered within associated physical security policies and procedures. Also training all personnel who would be involved with the above activities and work areas.

3. Workstation security. These require CEs and BAs to implement physical safeguards for all workstations (including the areas around the computing devices and components) that access PHI, and to restrict access to authorized users. The Workstation Security standard addresses how workstations are to be physically protected from unauthorized users. A variety of strategies may be implemented to restrict access to workstations with PHI. One way may be to completely restrict physical access to the workstation by keeping it in a secure room where only authorized personnel work. As with all standards and implementation specifications, what is reasonable and appropriate for one CE or BA may not apply to others. The risk assessment should be used to help make decisions about the controls to implement. CEs and BAs need to:

   • Identifying and implementing appropriate physical safeguards for all workstations that access PHI to ensure access is restricted to only authorized users

   • Identifying and documenting all types of workstations that access PHI, including all types of computing devices such as laptops, tablets, smartphones, desktop computers, employee-owned computers, terminal screens that display PHI, etc.

   • Identifying risks and implement additional physical safeguards as necessary to mitigate risks to workstations with access to PHI

   • Documenting all the physical safeguards used to protect the workstations within the Workstation Use policies and procedures

   • Providing regular training to all personnel who are involved with the above activities and work areas

4. Device and media controls. These CE and BA requirements include implementing policies and procedures that govern the receipt and removal of hardware and electronic media and computing components that contain PHI, into and out of a facility where work is performed, and the movement of these items within facilities where business activities occur. Electronic storage media include memory devices in computers (e.g., hard drives, SIM cards) and any removable/transportable digital memory medium, such as a magnetic tape or disk, optical disk, digital external memory card, CD, DVD, USB thumb drive, etc. This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability. Key requirements include:

   • Developing, documenting and implementing policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI, into and out of all facilities used by the organization, and the movement of these items within the facility

   • Identifying and documenting within the policies and procedures the types of hardware and electronic media that must be tracked

   • Identifying and documenting all types of hardware and electronic media that must be tracked such as hard drives, magnetic tapes or disks, optical disks, digital memory cards, CDs, DVDs, USB thumb drives

   • Providing regular training to all personnel who are involved with the above activities and work areas

The Device and Media Controls standard has four implementation specifications:

• Disposal

• Media Re-Use

• Accountability

• Data Backup and Storage

Each CE and BA must implement the physical safeguards and associated procedures and tools that are appropriate for their own associated environments and risks.