Physical Safeguards

Physical Safeguards

Physical Safeguards (45 CFR § 164.304) refers to physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

(Ref: HIPAA, Subpart C - Security Standards for the Protection of Electronic Protected Health Information)

There are four Standards to follow under the Physical Safeguards. These are:

  • 1

    Facility Access Controls Standard

    Requires covered entities and business associates to “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

  • 2

    Workstation Use Standard

    Requires implementation of “policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

  • 3

    Workstation Security Standard

    Requires implementation of “physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

  • 4

    Device and Media Controls Standard

    Requires implementation of “policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”

Workstation Security: in Focus

Some questions to consider relating to Workstation Security:

  • 1

    Is the workstation area access restricted only to authorized employees?

    Are your workstations constantly manned?

    During intervals when your workstations are unmanned, is there a lock or a physical barrier in place so that unauthorized persons cannot access your workstation?

  • 2

    Do you have physical safeguards in your workstations to make sure electronic Protected Health Information (ePHI) cannot be viewed by unauthorized persons (e.g., privacy screen filters for monitors, etc)?

  • 3

    Are all devices inside the workstation kept secured (from theft and other unauthorized access and use) at all times?

  • 4

    Would installing a CCTV and an alarm be applicable and beneficial for your workstation and workplace as a whole?

  • 5

    Do your employees bring portable workstation devices to other areas of your workplace? If yes, you may want to re-visit your policies about this matter. Otherwise, if it is an indispensable practice to bring workstation devices to other areas (and it conforms to your organizations’ policies), do you use extra safeguards such as computer cable locks (e.g., Kensington cable locks)?

  • 6

    Do you have locked cabinets or a security-rated safe (to keep portable/mobile devices and other sensitive or confidential files)?

  • 7

    Do you have labels and tags on your office devices to make sure they are easily identifiable?

  • 8

    Do you check your workstations regularly to make sure safeguards are constantly in place?