The HIPAA Physical Safeguards risk review focuses on storing electronic Protected Health Information (ePHI). While the Security Rule focuses on security requirements and the technical safeguards focus on the technology, the physical safeguards focus on facilities and hardware protection. Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.

A HIPAA Physical Safeguards Risk Assessment Checklist

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Who is a healthcare provider?

According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.

If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.

What is a covered entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.

What is a business associate?

This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.

This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.

What Can I Do To Get Compliant?

Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.

Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.

What are physical safeguards?

The HIPAA Security Rule requires that covered entities and business associates protect ePHI by creating controls to create a secure their IT environment. Leaving ePHI unsecured creates both a legal liability under HIPAA but also places confidentiality, integrity, and availability of patient information at risk.

Risk Assessment

  • Create an inventory of all physical systems, devices, and media that store or contain ePHI.
  • Create and maintain an inventory of electronic devices and media that can be used to transport media storing ePHI.
  • Identify all facility locations the practice owns, rents, or occupies including places where you collect, create, process, or store ePHI.
  • Create an inventory of all individuals with authorized access to the facility.
  • Review environmental threats such as power failure and temperature extremes that can damage information systems.
  • Review physical environment to ensure systems can operate as designed or expected.
  • Review impact of power surges, heat and air conditioning outages, and air filtration systems which can compromise system integrity arising out of increased dust and humidity.
  • Review impact of natural threats such as fire, water, loss of power, and temperature extremes, which can compromise the function and integrity of your practice’s information systems.
  • Review impact of human threats such as unauthorized users or disgruntled workforce members who can compromise ePHI through unauthorized disclosure, loss, or left that leads to identity theft.
  • Create an inventory of the keys, combinations, access cards, doors, locks, and the like and indicate the authorized users who possess them.
  • Create, maintain, and review an inventory of all workstations and other electronic devices that can access ePHI (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices).
  • Develop and maintain an inventory of your storage media and/or information systems that handle ePHI.

Physical Access Controls Policy/Procedures

  • Create policies and procedures to control physical access to information systems that store ePHI including facilities and room within them where information systems are located.
  • Establish policy and procedures related to ePHI on output devices such as printers, fax machines, and copiers to keep unauthorized individuals from obtaining the output.
  • Establish policies and procedures that protect the facilities and equipment from unauthorized physical access, tampering, and theft.
  • Establish physical access protective measures including but not limited to door locks, window locks, gate locks, exterior fences, barriers, and monitoring/detection camera systems.
  • Create procedures that limit entrance to and exit of the facility with one or more physical access method.
  • Create procedures to control access to areas within facility designated as publicly accessible.
  • Create procedures that secure keys, combinations, and other physical access devices.
  • Establish authorization procedure for all individuals on the access inventory and issues authorization credentials.
  • Implement procedures to control and validation a person’s access to facilities based on role or function, including visitor control and access control to information systems.
  • Establish policies and procedures to enforce system access control policies.
  • Establish physical access control procedures that enforce physical access authorization at designated entry/exit points at ePHI information system facility.
  • Ensure only workforce member and third parties who need access to do their job can access offices and other locations storing ePHI.
  • Limit physical access to workforce members, business associates, patients, and other known visitors.
  • Create physical access control procedures that change combinations and keys at regular intervals and/or when people lose keys, combinations are compromised, and individuals are transferred or terminated.
  • Develop and maintain a record of individuals who visit the practice.
  • Physical and Environmental Protection and Security Policies/Procedures
  • Establish policies and procedures for physical and environmental protection.
  • Review physical and environmental protection needs to ensure policies remain responsive.
  • Develop and document a facility security plan.
  • Develop digital media protection and storage security policy.
  • Establish policies and procedures governing the receipt, internal movement, and removal of hardware and electronic media containing ePHI.
  • Establish policies and procedures within security policy addressing storing media that stores ePHI.
  • Establish policies and procedures within security policy addressing protecting media containing ePHI.
  • Establish policies and procedures within security policy addressing accessing media containing ePHI.
  • Establish policies and procedures within security policy addressing marking the media that stores ePHI.
  • Establish procedures and implement monitoring tools to continuously monitor physical access to the facility that stores ePHI.
  • Ensure facility security plan incorporates a system-level security plan.

Contingency and Emergency Plan

  • Establish procedures for emergency situations to manage and control access to facilities containing ePHI and align with disaster recovery and emergency mode operations plan.
  • Ensure that emergency situation procedures incorporate managing and allowing access to facilities storing ePHI to support lost data recovery tasks that align with Disaster Recovery and Emergency Mode Operations plan.
  • Establish alternate processing site that allows continued operations.
  • Ensure that Alternate Work Site includes security controls, continuous monitoring of control effectiveness, incident reporting and response.
  • Sign appropriate agreements that permit transfer and resumption of information services.
  • Ensure required alternate location includes required equipment and supplies.
  • Ensure alternate location includes application security safeguards.
  • Store copy of ePHI in an alternative location.
  • Ensure that location is conducive to storage and recovery of information system backup information.
  • Ensure that alternate location includes the same information safeguards as the primary site, such as enabling authorized user access.

Maintenance Policies/Procedures

  • Establish policies, procedures, and process that document repairs and modification to the facility’s physical components related to security, including but not limited to, hardware, walls, doors, and lock.
  • Track all of the practice’s maintenance records or any modifications to the physical security of locations that store ePHI (hardware, walls, doors, and locks).
  • Establish a timely maintenance process for your practice’s information systems and facilities.
  • Workstation Policies/Procedures
  • Establish and implement policies and procedures that detail functions performed, manner to perform the function, and physical surroundings attributes for each workstation or electronic device that access ePHI (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices).
  • Establish policies and procedures that enforce access control policies defining acceptable use of information systems, workstations, and other electronic devices that access ePHI (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices).
  • Establish a policy and procedure to control ePHI data access from output devices at workstations.
  • Establish policies and procedures to prevent unauthorized access to workstations or electronic devices (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices as well as information systems handling ePHI.
  • Define access agreement to manage ePHI information system access and requiring appropriate user access agreement before granting access to workstations.
  • Establish policies and procedures to prevent unauthorized access to unattended workstations or electronic devices (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices as well as information systems handling ePHI.
  • Establish access control policy and procedure for transmission medium.
  • Establish media access policy and procedure.
  • Establish policy and procedure for marking media.
  • Implement physical safeguard that restrict workstation access to authorized users.
  • Develop policies and procedures that prevent unauthorized access to phsyical information system component locations including location, configuration, and positioning of workstations and other electronic devices.
  • Consider having workstations in areas of the practice not open to the public and restrict storage media workstations and other electronic devices, to those locations.
  • Establish policies and procedures for ePHI access via mobile devices (such as laptops, tablets, and mobile phones).
  • Develop acceptable use and storage guidelines related to ePHI on mobile devices(such as laptops, tablets, and mobile phones).
  • As part of your security plan, establish physical access control policies and procedures designed to safeguard workstations and other electronic devices.

Remote Access Devices and Information Movement

  • Establish policies and procedures detailing use and storage of electronic devices that remotely access ePHI.
  • Maintain records of hardware and electronic media movement and any person responsible for using and securing devices and media containing ePHI outside of the facility.
  • Maintain records of hardware and electronic media movement and any person responsible for it.
  • Develop a process for maintaining records detailing transportation of hardware and electronic media to prepare and keep an up-to-date component inventory of information systems containing ePHI.
  • Develop a process for maintaining records detailing transportation of hardware and electronic media that requires signed access agreements before enabling access to information systems containing ePHI.
  • Establish policies and procedures documenting transportation of media.
  • Create a retrievable, exact copy of ePHI before moving equipment.
  • Develop a process for moving equipment or media that includes policies and procedures for backing up information systems storing ePHI.
  • Develop a process for moving equipment or media that includes policies and procedures for handling storage media that stores ePHI.

Record Retention/Destruction

  • Establish policies and procedures for sanitizing and securely disposing of electronic devices and media containing ePHI.
  • Establish policies and procedures for transportation of media storing ePHI.
  • Establish policies and procedures for the sanitization of media storing ePHI.
  • Implement policies and procedures addressing the ePHI final disposition including hardware or electronic media storing it.
  • Establish guidelines to remove equipment and media for information maintenance and disposal that include sanitizing media storage locations.
  • Implement procedures for removing ePHI from electronic media before the media are made available for re-use.
  • Establish a process for sanitizing (removal) equipment and media that store ePHI before preparing them for reuse.

Internal and External Audit

  • Periodically test emergency procedures.
  • Conduct periodic review and update to Access List to remove users who no longer need access.
  • Periodically review the record of individuals who visit the practice.
  • Periodically review the physical access logs to verify no unauthorized access has occurred.
  • Review information system maintenance and facility repairs and modifications on a regular basis.
  • Periodically review an inventory of all workstations and other electronic devices that can access ePHI (such as laptops, printers, copiers, tablets, smartphones, monitors, and other devices).
  • Conduct periodic review of the location of your information systems (such as workstations and components) to evaluate their vulnerability to access by unauthorized individuals.
  • Maintain a log of individuals that access or remove media.

For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.