HIPAA Physical Safeguards: Security Rule Implementation

Hospital executive showing clearance badge demonstrating HIPAA physical safeguards.

HIPAA’s Security Rule requires that there be measures, policies, and procedures in place that address a covered entity or business associate’s efforts to secure electronic protected health information (ePHI). It further specifies the need for these to address administrative safeguards, technology safeguards, and physical safeguards. This article will focus on what you need to know about HIPAA physical safeguards.

In this Article …

What does the HIPAA Security Rule Mean by Physical Safeguards?

Title 45 of the Code of Federal Regulations (CFR) is our go-to source for the facts on all this. And that’s where we find the official definition as follows …

“Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.”

~ CFR, Title 45 §164.304

So physical safeguards refer to physical measures, policies, and procedures that directly address limiting access to ePHI except for those who are specifically authorized. And these will apply to each of the four standards that the law spells out.

That sounds pretty straightforward, and it is on the surface. However, as with most anything else, once we get into the details we begin to get a greater appreciation of the scope of implementation. So let’s move on.

Required vs. Addressable Implementation Specifications

It’s worth stating here that the Security Rule does not always provide specifics on what the exact security measures are that covered entities must implement to protect ePHI. Rather, it provides guidelines that they can use as they design and deploy their own implementation plans. A leading reason why there are guidelines rather than specifics is that it’s recognized that the healthcare and technology fields are rapidly changing, and no two settings are quite alike. So, depending on the size and type of the organization, different measures are likely going to be needed. For example, the appropriate security measures for a small physician’s office will look much different than those implemented by a large acute care hospital.

To that end, the HIPAA Security Rule standards have two types of implementation specifications that apply … Required and Addressable.

  1. Required: These are mandatory for all covered entities.
  2. Addressable: These allow the covered entity flexibility in implementation. However, that does not mean they can be ignored altogether. As an example, ePHI must be kept secure, but there is no dictation from HHS on the exact way of carrying this out.

Also, you can choose not to implement an addressable specification, but in its place, you must use an alternative method for safeguarding the data. Plus you need to document both what you’ve done as well as your reasons for doing so.

Conducting a HIPAA Risk Analysis will go a long way toward helping you to figure out where your exposure is, and what the proper protocols will be to address those according to your unique setting and circumstances.

With that said, let’s get into the Physical Safeguard Standards and what their implementation looks like. We’ll cite the applicable government code as we go so you can see how each clause is applied.

What are the Standards Under HIPAA Physical Safeguards?

The standards under physical safeguards include:

  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls

The Security Rule requires covered entities to implement these physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.

STANDARD: Facility Access Controls

“Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

~ 45 CFR § 164.310(a)(1)

§ 164.304 Definitions describe Facility to mean, “… the physical premises and the interior and exterior of a building(s).”

So the language of the Standard and the definition of “facility” make it pretty clear that here we’re talking about the physical environment where the systems that are used to access and house ePHI. This means on-site systems as well as off-site and cloud storage.

For these Facility Access Controls, regulations provide us with four implementation specifications, all of which are addressable.

Contingency operations (Addressable)

“Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”

~ 45 CFR § 164.310(a)(2)(i)

Contingency operations outline a covered entity’s policies and procedures for responding to a disaster or other emergency where all or part of their system containing ePHI is down or malfunctioning. Items to be addressed here are having to do with bringing systems back online, resurrecting secure access to ePHI, and restoration of lost data. Also to be addressed are procedures for how to continue operations during such an event and to do so in a manner that continuously ensures the security of existing ePHI. The manner in which cloud or offsite backups are handled and stored, as well as the process for retrieval of backups, should be part of your documented plans.

Hopefully, you won’t have the opportunity or reason to exercise these steps in real life. But in a lesser case scenario, very well-thought-out and drafted plans can be a savior in time of need. So think about things like …

  • Access to facilities housing electronic information systems during electrical power loss.
  • Are there methods of establishing emergency power generation during a failure?
  • Specific policies that designate who has physical access to facilities that house electronic information systems during times of power failure or other emergencies/natural disasters.

Facility security plan (Addressable)

“Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”

~ 45 CFR § 164.310(a)(2)(ii)

The facility security plan is where covered entities spell out and implement the details of the security measures in place to ensure that only those individuals who are authorized will have physical access to ePHI. This includes limiting physical access to electronic information systems to only staff members and business associates whose job function requires such access. Examples of measures that can assist with this limitation include …

  • Locked access doors
  • Key distribution and logging
  • Security/ID badges
  • Visitor badges
  • Access alarm trips
  • Security camera surveillance systems and record keeping
  • Security personnel
  • Active systems for monitoring and updating all of the above

Access control and validation procedures (Addressable)

“Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.”

~ 45 CFR § 164.310(a)(2)(iii)

So here we see that the Access Control and Validation Procedures are to ensure that each person’s access to protected information is strictly limited according to their role or function within an organization. These measures should work in concert with the Facility Security Plan, using procedures designed to identify which workforce members should be permitted into certain locations of the premises based on “need-to-know” criteria. So, for example, think of it as not whether or not identified areas need to be physically secured or not. But rather think of it as within those identified areas, who will be given access.

Some things to consider with this implementation specification are …

  • Procedures to match access to facilities based on an employee or business associate’s role and job function. This means tying access to details of written job descriptions or business relationships as well.
  • Procedures to verify someone’s right to facility access.
    1. Security personnel
    2. ID Badges
    3. Issuance of key cards
  • Procedures for visitor controls.
    1. Require government-issued photo ID
    2. Check-in/sign-in logs
    3. Visitor badges issued
    4. Check-out logs
    5. Escorts provided in specified areas
  • Procedures to review the completeness and accuracy of the connection of role to facility access on a regular schedule.
  • Procedures for monitoring the implementation of all the above procedures.

Maintenance records (Addressable)

“Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).”

~ 45 CFR § 164.310(a)(2)(iv)

With the Maintenance Records implementation specification, it stands to reason that many of the physical safeguards addressed in these regulations are going to require some degree of upkeep. So that means there will undoubtedly be maintenance, repair, and replacement of parts and systems as time passes. Keeping these security features and systems operating as intended requires a special emphasis on being proactive, and on doing things correctly. Maintenance records create a paper trail of proper upkeep and a window into specifically what was done when it was done, and who did it.

Ironically, maintenance and repair work also opens the door for things being done wrong, and possibly inadvertently creating a hole in the very security that’s supposed to be getting shored up. In this regard, maintenance records create a monitoring tool and establish accountability.

Considerations for meeting needs related to maintenance records may include …

  • Policies and procedures for how to document maintenance and repairs.
  • Policies and procedures that properly cover the spectrum of items addressed in the facility’s implementation of the HIPAA security rule.
  • Policies and procedures that address triggers where otherwise non-scheduled maintenance, repair, modification, or replacement must be performed. Example: When an employee with high access to ePHI leaves employment steps need to be taken to ensure that when they leave they no longer are able to have any level of access that they did while in their prior role.

STANDARD: Workstation Use

“Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

~ 45 CFR § 164.310(b)

For proper context as we delve into the Workstation Use Standard, we can first refer to § 164.304 where we see that the definition of what the HIPAA security rule considers a Workstation is, “… an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.”

The Workstation Use Standard requires covered entities to specify the proper functions to be performed by “electronic computing devices”. It also covers the physical attributes of workstations’ surroundings, as well as appropriate business use for those that are off-site. To comply with this standard, covered entities must implement policies and procedures that specify how these functions should be carried out and assess their physical surroundings for any risks associated with a workstation’s environment.

The following are considerations for the implementation of the Workstation Use Standard …

  • Depending on the size and complexity of the covered entity, policies and procedures may or may not be workstation specific. If they are, then identification can as specific as a single workstation identified via an equipment ID tag, or more broadly as in a type of workstation (e.g., mobile medical cart workstations), or by location description (e.g., in radiology department). And be sure to address things like …
    1. Main facility
    2. Satellite offices
    3. Home offices
    4. In-field work areas (e.g., home health)
  • Policies and procedures that address the identification of those workstations that have or do not have access to ePHI.
  • Policies and procedures that address the “way” work is conducted.
    1. Specific software used
    2. Password strength rules
    3. Use of two-factor authentication
  • Policies and procedures for logging out of the system/workstation.
  • Policies that provide an itemized list of “what” a workstation can be used for.
  • Policies that provide examples of those things that a workstation cannot be used used for.
  • Policies and procedures addressing the environment surrounding the workstation.
    1. Positioning screens away from public view.
    2. Use of privacy screens
  • Policies and procedures that address the use of personal devices for accessing ePHI.
    1. Home computer
    2. Smartphone

STANDARD: Workstation Security

“Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

~ 45 CFR § 164.310(c)

The Workstation security standard requires literal physical safeguards that would keep unauthorized individuals from accessing the workstation in the first place. An extreme example of how this would be achieved is by the workstation being placed in a room that can only be accessed by authorized individuals as identified in the Access Control and Validation Procedures discussed earlier.

A few things to consider while assessing the needs for meeting this standard are …

  • Are there rooms or designated areas where workstations that have access to ePHI can be secured to only permit authorized users?
  • Are current methods of maintaining the above access control adequate?
  • Is the equipment located in these designated areas physically anchored to the workstation with security cables to ensure they are not moved from the protected area?

STANDARD: Device And Media Controls

“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

~ 45 CFR § 164.310(d)(1)

With Device and Media Controls, for clarification on what is meant by “electronic media”, HHS defines it as … electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card…”.

With this Standard, we again have regulations providing us with four implementation specifications. Two are required, and two are addressable.

Disposal (Required)

“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

~ 45 CFR § 164.310(d)(2)(i)

With Disposal, covered entities are required to develop and implement policies and procedures for the disposal of electronic media and hardware containing ePHI. Considerations here may include policies and procedures that outline the following methods …

  • Clearing:  the use of specialized hardware or software to overwrite electronic media with non-sensitive data.
  • Purging: via degaussing – exposing electronic media to strong magnetic fields that disrupt recorded magnetic domains.
  • Destroying the electronic media:  this by the act of disintegration, pulverization, melting, incinerating, or shredding.
  • Ensure that the policies specify that they are carried out by individuals who are authorized to dispose of ePHI and/or the hardware and electronic media where it is stored. And outline the training of such individuals.

Media re-use (Required)

“Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.”

~ 45 CFR § 164.310(d)(2)(ii)

Here, assuming the media used to store ePHI was not destroyed, it may be re-used, but only if first handled properly. This re-use may be the result of repurposing hardware or electronic media where it no longer will access ePHI. Examples are it may be under new use by the covered entity, or it may have been donated to an outside organization. Therefore there will be the need for policies and procedures addressing how this re-use may occur. Some items for possible inclusion in these policies and procedures are …

    • Outlining the proper method of removing ePHI from the hardware or electronic media.
    • Include procedures for verifying that ePHI has been removed from the media or device, the controls in place to prevent unauthorized access during re-use, and the roles and responsibilities of staff involved in the re-use process.
    • Describe staff training on re-use procedures.

Accountability (Addressable)

“Maintain a record of the movements of hardware and electronic media and any person responsible therefore.”

~ 45 CFR § 164.310(d)(2)(iii)

Accountability addresses the need to know where hardware and electronic media that access ePHI is at any given time. This includes if the hardware or electronic media has been relocated from one secure area to another. Furthermore, to help ensure these records are maintained and accurate, the individual(s) carrying out the relocation needs to be known as well.

In today’s healthcare settings, as hardware and other devices become smaller and more mobile, this implementation specification has growing challenges. But, because it’s an addressable implementation specification, there is room to make policies and procedures that fit the covered entity.

  • Consider a policy for labeling electronic media and hardware with a unique identifier that can be tracked throughout its lifecycle.
  • Utilize audit logs for monitoring usage and disposition of hardware and electronic media. These audits should include an assessment of whether electronic media and hardware are properly labeled and tracked, whether appropriate access controls are in place, and whether staff followed the policy and procedures correctly.
  • Ensure training of applicable personnel on the adopted Accountability policies and procedures.

Data backup and storage (Addressable)

“Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”

~ 45 CFR § 164.310(d)(2)(iv)

Sometimes it seems as “if it can go wrong, it will go wrong”. And that’s what the Data Backup and Storage implementation specification addresses. It requires that there be an exact copy made of the housed ePHI before hardware or electronic media is moved … just in case there’s a worst-case scenario.

Considerations here might be …

  • Policies and procedures outlining under what circumstances such a backup shall be made, and how/where will it be stored.
  • Are there any exceptions where such a backup is not required, and if so, what are they?
  • Include the party who is responsible for creating and storing the backup, assuring that only those authorized to do so carry out this task.
  • Draft the method of training and monitoring for the proper execution of data backup and storage related to the relocation of hardware and electronic media that accesses ePHI.


Why HIPAA Physical Safeguards are so Important

Physical safeguards are an important part of HIPAA because they help to protect ePHI from unauthorized intrusion, theft, and loss. By implementing physical safeguards, covered entities, and business associates can help ensure the confidentiality, integrity, and availability of ePHI, as is required by the HIPAA Security Rules. And, lastly, they can also help to prevent security incidents or breaches that could result in significant financial and reputational harm.

The physical safeguards required by HIPAA Security Rules must be implemented correctly and with proper due diligence, for them to be effective. If your organization is struggling to understand exactly how physical safeguards should be implemented, it may be time to consider professional assistance. A qualified consultant can help you develop the necessary procedures and controls that will ensure your organization’s compliance with these important yet nuanced laws.

When you need proven expertise and performance