With all the recent headlines regarding cyber security breaches, it is easy for companies to forget about the physical security controls they must put into place. This crucial element of the HIPAA Security Rule will vary in implementation depending on the company, and how they manage their security risk process. The Department of Health and Human Services provides more details of the HIPAA Privacy Rule.

For those who must comply with the HIPAA Security Rule, they are required to…

“Implement physical safeguards for all workstations that access electronic protected health information [EPHI], to restrict access to authorized users,” where a workstation is defined as “an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” (HIPAA Security Series, hhs.gov)

HIPAA document of requirements

Given all the controls that must be carried out–both physical and non-physical–costs to the company can be high. However, physical controls can often be low-cost measures that a company can put into action, which can greatly increase protections. Some no-cost physical controls include: policies that require workstations and/or office doors to be locked while employees are away from their desk, as well as arranging workstations so they are not visible to everyone. Other low-cost options available are computer privacy filters or USB port locks that will restrict access to sensitive data and prevent the transferring of information.

Those healthcare companies who fail to comply with HIPAA’s security safeguards can potentially face civil or criminal penalties, resulting in large financial loss. Therefore, it is crucial for companies who fall under HIPAA regulations to appropriately assess their security processes to determine if they are meeting all controls, and to fix any vulnerabilities identified.

When companies evaluate the state of their physical security plan, some questions they can ask themselves are…
  • What physical security controls do we already have in place and what additional controls can we realistically put into place?
  • Are all of our employees aware of the policies and procedures relating to physical security controls? And are they properly following these policies and procedures?
  • Does the company have an updated and accurate inventory of all devices containing health information? And is the physical location of all devices documented?
  • Are there devices located in vulnerable areas? And should any devices be moved or secured?
  • Are we properly educated on all aspects of HIPAA that apply to us?

When it comes to getting your information security program on track and in full compliance, it can be quite daunting and a huge constraint on resources; however, physical security controls should really be a top priority…they are not only necessary, but quite frequently, they can be economical solutions to your security challenges.