Are you keeping up with the physical requirements of HIPAA? From my experience, this is the area that is most overlooked. The physical requirements make up 24% of the security rule, however they requirements are somewhat vague. It is stated in the rule, that an important step in protecting electronic protected health information is to implement reasonable and appropriate physical safeguards for your systems. What exactly does this mean? First off, it will require an evaluation of your current security controls, and a series of documented solutions. It will take knowledge of the rule, and an implementation of a good policy and procedure manual.
Another way to keep up with the physical requirements of HIPAA is to review each physical safeguard standard listed in the rule. You can find this on the HHS.gov website. You will want to take a look at any physical vulnerabilities and address them. For example, you will want to document the security measures for your building. Do you have an alarm system? 24/7 video monitoring? Security guards? All of this needs to be documented. Is your server sitting in an area that someone can come and knock it over and break it? Pick it up and steal it? Spill water on it? I know these may sound trivial, but things happen. The physical requirements want to make sure you have processes in place to continue seeing patients if something disastrous happens to your physical ePHI.
A better definition of physical safeguards
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standards are another line of defense (adding to the Security Rule’s administrative and clinical safeguards) for protecting EPHI.
When evaluating and implementing these standards, a covered entity must consider all physical access to EPHI. This may extend outside of an actual office, and could include workforce members’ homes or other physical cations where they access EPHI.
You don’t want to get caught not paying attention to the physical requirements of HIPAA. They are just as important as the technical and administrative safeguards.
If you need help with your physical safeguards, contact Tier3MD for help.