HIPAA Series Part Two: How to Protect PHI Through Physical Safeguards

Protecting PHI Through Physical Safeguards

Has your organization ever terminated an employee? Did you have a procedure to collect that employee’s keys and badge so they couldn’t easily gain physical access to your organization and its PHI? Most likely, you can answer yes to all of these questions. These are examples of steps to protect PHI through physical safeguards.

The $200,000 Settlement

One covered entity paid HHS Office for Civil Rights (OCR) a settlement of over $200,000 because, in part, it failed to follow through on these kinds of physical safeguards. According to the OCR’s investigation, the covered entity terminated an employee during her probationary period. Eight days later, the former employee and a union representative entered the covered entity’s offices. Using her work key, the former employee entered her old office and locked herself and the union representative inside. While inside the office, the former employee logged into her old computer with her username and password and downloaded information off her computer onto a USB drive. The former employee removed boxes containing personal items and paper documents. This was witnessed by a student intern who was present at the time. The former employee and the union representative then both exited the building.

These actions resulted in the impermissible disclosure of nearly 500 individuals’ PHI. Would these things have happened if the organization had taken the former employee’s work key?  Though other failures occurred, such as not terminating the employee’s computer login credentials, it’s likely that if the physical security of the premises had been tighter, the former employee and union representative would not have been able to gain physical entry into the offices, preventing these other actions from taking place.

What are Physical Safeguards?

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

HHS has stated that when evaluating and implementing these standards, a covered entity must consider all physical access to ePHI. This may extend outside of an actual office and include workforce members’ homes or other physical locations where they access ePHI.

It is difficult enough to physically secure an organization’s headquartered offices and facilities. Consider, for example, all the healthcare workers who worked from home during the pandemic. Were their workstations physically secured? If they printed documents at home that contained PHI, did they have a mechanism to physically keep those documents secure? Some of these requirements are Security Rule requirements, while others might be Privacy Rule requirements, but the concept of physical safeguards, in general, helps protect PHI or electronic PHI (ePHI).

Facility Access Control

An important standard of the Physical Safeguards Requirement is Facility Access Controls. It requires covered entities to “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.”

Some points to consider for this first physical safeguard standard:

• • Whether your organization’s policies and procedures address allowing authorized and limiting unauthorized physical access to electronic information systems and equipment?
  • Do the policies and procedures identify individuals (workforce members, business associates, contractors, etc.) with authorized access by title and/or job function?
  • Do the policies and procedures specify the methods used to control physical access, such as door locks, electronic access control systems, security officers, or video monitoring?

Workstation and Device Security

Another crucial physical safeguard standard is workstation and device security.  This standard requires entities to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility and the movement of these items within the facility.”

The term “electronic media” encompasses “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory media, such as magnetic tape or disk, optical disk, or digital memory card….”

Does this sound a little bit like herding cats? It sure can feel like it. Think about all the portable USB flash drives, laptop computers, electronic tablets, and phones that probably contain ePHI. Think about how they’re moving in and out of facilities frequently to homes, coffee shops, parks, and little league games. Think about keeping track of all those moving pieces all the time. This is why some organizations decide to only allow ePHI on certain types of devices. For example, they may disable USB ports on computers so individuals cannot download any information onto unauthorized, portable flash drives.

Some questions to ask about this standard may include:

• • Do your organization’s policies and procedures govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and the movement of these items within the facility?
  • Do the policies and procedures identify the types of hardware and electronic media that must be tracked?
  • Have all types of hardware and electronic media that must be tracked been identified, such as hard drives, magnetic tapes or disks, optical disks, or digital memory cards?

Further Examination

The Physical Safeguards requirements are more comprehensive than this current document can address. Other issues not addressed in this eBrief include the physical disposal of devices containing ePHI, re-use of devices containing ePHI (think re-purposing laptops or other equipment), data backup and storage, contingency operations, facility security plan, access control/validation procedures, and maintenance records. It’s a lot to consider. And it’s crucial to stay informed and in front of it all. Addressing the physical security of locations and equipment where ePHI is housed is essential to your overall HIPAA Security compliance program.

In our other eBriefs on this series, we covered other essential elements of the HIPAA Security Rule. You can download those in the links below.

• HIPAA Security eBrief 2: Physical Safeguards
• HIPAA Security eBrief 3: Technical Safeguards

To download this blog as a PDF, click the button below.