§ 164.310 Physical safeguards
A Covered Entity must, in accordance with the general rule:
(a) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
HIPAA Survival Guide Note
This standard is quite broad as written and will mean one thing for hospitals and quite another for a small practice. It spans access to buildings, server rooms, and anywhere else computing devices may be found (which now means nearly everywhere with the increased use of mobile computing devices). Small providers will have to rely on the "flexibility approach" to develop and implement policies and procedures that are "reasonable and appropriate" to their practice. The specifications under this standard are all addressable.
(b) Standard: Workstation use.
(c) Standard: Workstation security.
(d) Standard: Device and media controls.
HIPAA Survival Guide Note
It is unclear what to make of the remaining physical safeguards ((b), (c) and (d) since much of what we think might be applicable are covered next under the §164.312.
§ 164.312 Technical safeguards
A CE must, in accordance with the general rule:
(a) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have appropriately granted access rights.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
(c) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
(e) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
HIPAA Survival Guide Note
As a practical matter these standards will be implemented almost entirely by the software package(s) that a provider uses. Implementation specifications must be compared with features and functionality of the software. In some packages this functionality may need to be enabled via selecting an appropriate option (i.e. assuming that it exists).
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.