Physical Safeguards

The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

The Security Rule defines physical safeguards as:

“physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and technical safeguards) for protecting EPHI.

When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office, and could include workforce members’ homes or other physical locations where they access EPHI.

A good example of physical safeguards are the facility access controls.  To be compliant, a covered entity must “Implement policies and procedures to limit physical access to its electronic housed, information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.”  A facility is defined in the ru8le as “the physical premises and the interior and exterior of a building(s)”.

As a covered entity, you must define a set of policies and procedure that address allowing authorized and limiting unauthorized physical access to electronic systems and the facility or facilities in which they are housed.  Your policies and procedures will need to identify individuals (workforce members, BA’s etc) with authorized access by title and/or job function.  Tier3MD can assist you will all of your physical safeguard policy and procedures.

Things to Consider

Are policies and procedures developed and implemented that address allowing authorized physical access to electronic information systems and the facility or facilities in which they are housed?
Do the policies and procedures identify individuals (workforce members, business associates, contractors, etc.) with authorized access by title and/or job function?
Do the policies and procedures specify the methods used to control physical access such as door locks, electronic access control systems, security officers, or video monitoring?