HIPAA Compliance Plan
« Previous PageHIPAA Regulations Table of ContentsNext Page »

Download a FREE copy of the HIPAA Survival Guide 4th Edition.


Contact us: Mature Compliance Programs Made Easier!

Physical Safeguards The Physical Safeguards (“PS”) represent the most straight forward of the Rules’s safeguards, at least from a comprehension perspective. By and large, the PS standards have to do with securing the facilities where PHI is house, and securing workstations, devices, and media that contain PHI. The PS contains four standards and six implementation specifications, only two of which are required. How these standards are implemented, from a practical perspective, will vary with the size of the Organization. Now cameras and other such devices (e.g., intrusion protection) are affordabole to most organizations and should likely be installed.

§164.310 Physical safeguards.

A covered entity or business associate must, in accordance with §164.306:

(a) (1) Standard: Facility access controls.  Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

(2) Implementation specifications:

References: §164.310 (a)(2)(i) Contingency operations.

Process: Facility access to all required plant and equipment should be provided to authorized and named Workforce members (and their respective backups) by your CO and CIO in your DRP and as required during actual emergency mode operations. Provisions should be made to transport essential emergency mode Workforce members as required during emergency mode operations. For example, this could mean ensuring the availability of specialized vehicles to ensure that these Workforce members can gain access to the required physical plant and equipment. State of readiness emergency mode processes shall be triggered immediately whenever a likely emergency is predictable (e.g., a pending hurricane).

Tracking: Emergency mode plans for access to physical plant and equipment should be stored in your Compliance Repository as part of your DRP. Postmortems will be conducted and documented after actual emergencies to ensure that access to physical plant and equipment was provided in an effective and timely manner. Postmortem documentation should also be stored in your Compliance Repository.

Contingency Operations: What is this? This requirement mandates that you protect your facility from unauthorized intrusion by individuals who may unlawfully attempt to get access to your PHI. This ranges from having locks and/or access cards on doors to installing cameras and more sophisticated equipment to prevent said intrusion. Post Covid, this also means ensuring that such physical protection exists for Workforce members that work from home.

(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

References: §164.310 (a)(2)(ii) Facility security plan.

Process: Your CO should designate areas within your physical plant as “secured areas” and only allow authorized Workforce members access to those areas. Your CO and CIO should investigate the feasibility of installing surveillance cameras and alarms in all secured areas, but especially those deemed mission critical from an ePHI perspective. Security access instruments should be issued to authorized personnel granting Workforce members access to secured areas as required.

Tracking: Documentation regarding which Workforce members have access to designated secured areas should be stored in your Compliance Repository. Random audits of surveillance camera recordings should be conducted periodically and after each breach or attempted breach of ePHI. Surveillance camera recordings should be stored in your Compliance Repository. Your CO and CIO should make recommendations regarding bar coding or other identification mechanisms that may be used to label equipment used to create, access, transmit, store or maintain ePHI.

Facility Security Plan: What is this? Obviously, post Covid, your facilities now also mean those remote locations that your Workforce members may be using to access PHI. Common sense is in order here because your central focus remains the primary facility where your patients physically come and receive treatment. Although, this also gets complicated because of the advent of telemedicine and the fact that treatment may be provided nearly from any location. The entire concept of “facility” has changed somewhat, and your facility plan needs to include these new locations.

(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Access Control: What is this? Again, the meaning of “Secured Areas” has changed in the world of Covid and Telemedicine. Nonetheless physical security hygiene must be maintained at all locations where PHI is accessed. With the universal use of mobile devices to access PHI this has now been true for a long period of time. Covid and Telemedicine simply provide more express awareness of the extension of what should be considered a “Secured Area.”

(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

References: §164.310 (a)(2)(iv) Maintenance records.

Process: Your CO should develop and maintain a log of security modifications such that security changes to your ePHI plant and equipment can be tracked over time. Your CO should analyze and document plant and equipment precautions that should be taken when a Workforce member with a high level of security clearance terminates (e.g.,a system administrator, database administrator, network administrator, etc.).

Tracking: Your plant and equipment security modification log should be maintained in your Compliance Repository. Documentation regarding additional physical plant and equipment precautions that should be taken for specified Workforce members should be stored in your Compliance Repository.

Maintenance: When the physical nature of your facility/operational environment changes then the organization must maintain logs of same. The mandate here is that the changes do not impact the “Secured Areas” that have already been established in some sort of negative way. Anytime equipment is moved or physical layout is changed there is a risk that PHI my be imposed in a way not anticipated. These logs capture what moved, changed, or build out.

(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

References: §164.310 (b) Workstation use.

Process: Your CO should conduct random audits to ensure that mobile devices are only used according to your Policy. Workforce members that violate your mobile device usages policies should be sanctioned.

Tracking: Your CO should store mobile device audit reports in your Compliance Repository. Your CO and CIO should stay abreast of evolving mobile device security best practices and enabling technologies that can reduce Risk to ePHI.

Workstation Use: Only devices designated for accessing, updating, and deleting should be used as such. Using non-designated devices creates Risk because said devices may not be secured properly. For example, encrupytion may not be applied as required. However, we normally suggest that any mobile device, including Workstations only be used as access only devices.

(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

References: §164.310 (c) Workstation security.

Process: Your CO should document and implement physical safeguards per class of mobile computing device. Your CO and CIO should also document and implement physical safeguards for enterprise computing devices such as servers, routers, network storage devices, etc. Workforce members that violate your mobile device usage policies should be sanctioned.

Tracking: Physical safeguards for mobile and enterprise computing devices should be documented and stored in your Compliance Repository. Physical safeguards should be reviewed for effectiveness each time a Risk Assessment is performed.

Workstation Security: Mobile devices must be secured against unauthorized access to PHI just like any other device. We include, personal computers, laptops, pads, phone all as mobile device. To be sure, it is strong recommendation that mobile devices ONLY ever be used as PHI access devices and never as PHI storage devices.

(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Standard Device & Media Control: PHI should be disposed according to the NIST standard if your organization wants to take advantage of the Breach Notification Safe Harbor. NIST published various protocols for sanitizing media depending on your organization’s need. There are many devices (e.g., photocopiers) that you may not even be aware contain images of PHI.

(d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

References: §164.310 (d)(2)(i) Disposal.

Process: Your CO and CIO should ensure that all devices containing ePHI are inventoried prior to first use and properly disposed of at end-of-life. Your CO will adopt and promulgate the electronic media disposal standards recommended by the Secretary and in a manner that allows your Organization to take advantage of the Breach Notification Safe Harbor. Workforce members responsible for the disposal of electronic media that contains ePHI should be provided training regarding disposal standards and best practices. Workforce members responsible for the disposal of electronic media that contains ePHI should be required to sign a form indicating that the media has been properly disposed of and trigger the removal of the device and/or media from inventory as required.

Tracking: Devices that store, access, transmit, or maintain ePHI should be inventoried prior to use in your Information Assets log stored in your Compliance Repository. Devices that store, access, transmit, or maintain ePHI and are disposed of should be logged in your Information Assets Disposal Log stored in your Compliance Repository.

Disposal: PHI should be disposed according to the NIST standard if your organization wants to take advantage of the Breach Notification Safe Harbor. NIST published various protocols for sanitizing media depending on your organization’s need. There are many devices (e.g., photocopiers) that you may not even be aware contain images of PHI.

(2) Implementation specifications:

(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

References: §164.310 (d)(2)(ii) Media re-use.

Process: Your CO shoould adopt and promulgate the electronic media removal standards recommended by the Secretary and in a manner that allows your Organization to take advantage of the Breach Notification Safe Harbor. Workforce members responsible for the removal of ePHI from electronic media should be provided training regarding removal best practices. Workforce members responsible for the removal of ePHI from electronic media should be required to sign a form indicating that the ePHI has been properly removed and trigger the removal of the device and/or media from inventory as required.

Tracking: Devices that store, access, transmit, or maintain ePHI should be inventoried prior to use in your Information Assets log stored in your Compliance Repository. Devices that store, access, transmit, or maintain ePHI and are made available for re-use should be logged in your Information Assets Disposal Log stored in your Compliance Repository.

Media Reuse: What this means, as discussed above, is the media containing PHI must be sanitized before using it for other purposes. As discussed in the NIST protocols, it is not enough simply to delete the data, the media will still retain retrievable copies if that is all that is done. Sanitizing media is a term-of-art that implies much more than deletion of PHI.

(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

References: §164.310 (d)(2)(iii) Accountability.

Process: Your CO should designate, and train specified Workforce members in the inventorying and tracking of devices that store, access, transmit, or maintain ePHI. Designated Workforce members should be required to “sign off” on the acquisition, movement, and disposal of ePHI enabled devices.

Tracking: Devices that store, access, transmit, or maintain ePHI should be inventoried prior to use in your Information Assets log stored in your Compliance Repository. Devices that store, access, transmit, or maintain ePHI and are moved within the Organization will be logged in your Information Assets Transfer Log stored in your Compliance Repository.

Accountability All Security Objects that access, update, delete must be inventoried. There are numerous common-sense reasons why you would want to do this. First, if you don’t have an accurate inventory, it’s impossible to know which Security Objects to apply Controls to. Second, it’s impossible to know what Objects must be given PHI access, and so forth. Security Objects, or assets, that “touch” PHI are the ones necessary for applied Controls.

(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

References: §§164.310 (d)(2)(iv) Data backup and storage.

Process: Your CO and CIO should ensure that your Data Backup Plan includes all Information Systems that contain ePHI so that replicas of ePHI can be made prior to movement as required. Designated Workforce members should ensure, on a daily basis, that all backups have executed properly.

Tracking: Copies of your backup logs should be stored in your Compliance Repository. Quarterly backup restoration reports should be stored in our Compliance Repository. Any anomaly found in your daily backup review shall be reported immediately to your CO/CIO.

Data Backup & Storage Under the Administrative Safeguards the Controls concern themselves with documenting your Data Backup Plan (“DBP”). Here you must implement the technology that accomplishes that task. With the advent of Ransomware, where you store copies of backup has become critically important. You should ask your staff of the 3-2-1 plan that is a widely used best practice.

(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Download our Free HIPAA Project Plan.

« Previous PageHIPAA Regulations Table of ContentsNext Page »