Backup & Disaster Recovery Government IT Security

HIPAA Physical Safeguards

What are HIPAA Physical Safeguards?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA, PL104-191) was enacted to protect the privacy and availability of health insurance coverage and medical information. The law’s primary goals include protecting health insurance coverage for workers and their families in the event that the insured employee changes or loses a job, safeguarding the security and confidentiality of patient health information, and establishing standards for the electronic exchange of health care information. HIPAA required the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To that end, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule establishes national standards for the protection of certain health information, and the Security Rule establishes national security standards for the protection of certain health information that is held or transferred in electronic form.

The Security Rule requires that covered entities maintain reasonable and appropriate safeguards for protecting electronic patient health information (e-PHI) in three distinct areas: administrative, technical, and physical. Administrative and technical safeguards are well-known aspects of an e-PHI security plan, but physical safeguards should not be overlooked. The HIPAA Security Rule describes physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” In essence, every location or device with physical access to e-PHI, including offices, homes, vehicles, storage centers, USBs, laptops, and other mobile devices, requires a covered entity to ensure that e-PHI is properly secured there. Access and control are one of the key aspects for covered entities to consider. The four implementation specifications for facility access are:

Contingency operations. Establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Facility security plan. Document and define physical controls employed to prevent unauthorized access to ePHI such as restricted areas, surveillance cameras, or alarm systems.

Access control and validation procedures. Align a person’s access to e-PHI with their role or function in the organization and ensure that these role-based access control and validation procedures closely align with the facility security plan.

Maintenance records. Regularly check for security updates or modifications and implement them as necessary. Maintain records of repairs and changes.

The four Device and Media Control implementation standards are:

Disposal. Implement policies and procedures for the disposal of e-PHI and the hardware or electronic media on which it is stored.

Media re-use. Implement procedures for the removal of e-PHI from electronic media before the media are available to be re-used.

Accountability. Maintain records of the movements of hardware and electronic media and who is responsible for it.

Data backup and storage. Create retrievable, exact copies of e-PHI, when needed, before movement of equipment.

1, 2022, “Summary of the HIPAA Security Rule”

2 CMS HIPAA Security Series, Volume 2/Paper 3, 3/2007, “3 Security Standards: Physical Safeguards”