What physical safeguards are required by HIPAA?

As healthcare continues its digital transformation, cybersecurity has been at the forefront of every health professional's mind. Especially given the focus of the HIPAA Act on safeguarding ePHI (electronic protected health information) as much as PHI. However, physical safeguards play a vital role in protecting patients' data against breaches.

Healthcare organizations can reduce the risk of PHI exposure by understanding and implementing proper physical safeguards. Among the various requirements outlined by HIPAA, physical safeguards are necessary for ensuring patient confidentiality.

A Recap: HIPAA and the Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) is U.S. legislation that protects the rights and privacy of patients. Understanding HIPAA is essential for covered entities as they balance HIPAA compliance with effective patient care. Most referenced is Title II, as it sets the policies and procedures for safeguarding PHI. Within Title II is the Security Rule, which establishes requirements for protecting ePHI. The rule ensures the confidentiality, integrity, and availability of patient data.

The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure. It provides both addressable and required specifications to give covered entities flexibility over security. With the right mix of tools, healthcare organizations can fortify PHI and stop breaches.

The rule requires healthcare professionals to implement layers of administrative, technical, and physical safeguards. Administrative safeguards focus on policies and procedures, technical safeguards on cybersecurity, and physical safeguards on facilities.

Related: What are administrative, physical and technical safeguards?

What are HIPAA physical safeguards?

Physical safeguards are measures implemented to protect an organization's physical infrastructure and assets. This may include the actual office as well as the equipment within. It may also include any storage area where sensitive information is stored and processed.

In fact, physical safeguards could extend outside of an actual office. Particularly if employees work remotely from home or in any other location and access ePHI.

These safeguards prevent unauthorized physical access to sensitive data and protect the information from natural and environmental hazards. They reduce the risk of theft, damage, or loss of physical assets that could compromise the security of medical records.

Related: HIPAA compliant email: The definitive guide

What physical safeguards are required by HIPAA?

The U.S. Health & Human Services Department released details about physical safeguards within their HIPAA Security Series. The list of possible physical safeguards is extensive and depends on the needs of an organization. But according to HIPAA, there are four requirements (what they call standards) for physical safeguards. 

These standards are (followed by examples of safeguards):

• Facility access controls: locked doors, security alarms, key cards, biometric controls, visitor management, access logs, and storage locks.
• Workstation use: use/access procedures (e.g., where, how, and when to access data).
• Workstation security: physical locks, access control measures, encryption, inventory tracking.
• Device and media controls: encryption, password protection, multifactor authentication, inventory tracking, and disposal.

Practitioners must have proper policies and procedures and up-to-date employee training to effectively utilize these. Such documents and training would cover a wide range of topics, such as device security, disposal procedures, data and emergency power backup, and data recovery. They should also cover HIPAA guidelines, incident reporting, disaster recovery and contingency planning, and business continuity.

Checklist for implementing physical safeguards

It is up to each organization to understand and correctly implement the physical requirements set by the HIPAA Security Rule. Use this checklist to ensure you hit the four standards given by HIPAA to protect your organization.

1. Consider what needs to be physically safeguarded and how (i.e., a risk assessment).
2. Implement a secure facility design along with environmental controls.
3. Specify the methods to control access and ensure they remain monitored, even remotely.
4. Use the principle of least privilege to classify data into three levels: restricted, internal, and public.
5. Limit authorized and unauthorized access to all facilities and infrastructure housing PHI. And for staff that have access, guarantee they understand the responsibilities, regulations, policies, and procedures.
6. Manage and track the proper disposal of sensitive information and equipment.
7. Implement secure storage for physical media and equipment.
8. Develop a breach notification plan for possible inadvertent or deliberate breaches.
9. Keep policies and procedures up-to-date and constantly implemented.

And as always, stay on top of changes to HIPAA and other state/federal regulations.

Physical safeguards are required for HIPAA compliance

Healthcare providers must make a concerted effort to block breaches, whether from human error, a cyberattack, or a technical failure. If not, an organization may face an investigation and a possible HIPAA violation.

The Security Rule includes the necessary safeguards that healthcare providers need for HIPAA compliance. And compliance with HIPAA's physical safeguards is the responsibility of every healthcare organization tasked with securing both ePHI and PHI.

Prioritizing HIPAA's physical safeguards allows practitioners to safeguard patient data, maintain compliance, and uphold the highest patient privacy and security standards.