OCR Highlights Importance of Physical Safeguards to Protect PHI
Thursday, May 31, 2018
data protection, ocr, phi
Print Mail Download i

The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”

Technical safeguards like encryption and access control are often top-of-mind when dealing with ePHI, but physical safeguards are equally important in protecting information. In addition, physical safeguards are often very simple and easy to implement. For example, a computer placed in a high traffic area without a privacy screen can expose PHI to unintended recipients as they pass by, even if the computer meets all technical standards. OCR’s newsletter suggests various types of physical safeguards for electronic devices, such as using device locks to deter theft or physically restrict access to USB ports or CD/DVD drives and keeping devices in a secured area when not in use.

It should be noted that “workstations” are not limited to desktop or laptop computers. HIPAA’s definition of the term actually encompasses any device that performs a computing function similar to a laptop or desktop computer, as well as any electronic media stored therein.  Therefore, the physical safeguard requirement extends to your smart phone, tablet, external hard drive, etc.

Covered entities and business associates should take stock of all of their devices that are able to access ePHI and ensure that appropriate physical safeguards are in place. Like other aspects of HIPAA, employee training remains a critical issue for physical safeguard because a privacy screen provides no physical safeguard if it is not used when an employee actually accesses ePHI. As OCR highlights in the newsletter, covered entities and business associates have had to enter into settlement agreements ranging from $250,000 to $3.9 million for violation of the physical security requirement.

The full newsletter can be found here.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Current Legal Analysis

More from Mintz

DOJ Releases COVID-19 Fraud Enforcement Task Force Report Touting Its Successes and Urging Lawmakers to Enact New Legislation
by: Jane Haviland , Abdie Santiago
SEC’s Enforcement Authority Over Crypto Asset Transactions Upheld (Again) in Case Against Coinbase
by: Cory S. Flashner , Steve Ganis
Canada’s 2024 Federal Budget: The Time Is Now ... to Lock in Lower Tax Rates
by: Katy Pitch
American Privacy Rights Act – Another Shot at a Comprehensive Federal Privacy Law
by: Cynthia J. Larose , Christopher J. Buontempo
Tony Bennett May Have Left His Heart in San Francisco but the City's Appeal of Its NPDES Permit is on its Way to the United States Supreme Court.
by: Jeffrey R. Porter
Navigating Health Tech: Regulations for AI/ML in Medical Devices and Software [Video]
by: Benjamin M. Zegarelli , Pat G. Ouellette
Supreme Court Narrows the Reach of Omission Liability Claims Under Section 10(b) of the Exchange Act
by: Douglas P. Baumstein , Jason C. Vigna
Office of the Level Playing Field
by: Jennifer B. Rubin
The Sun is About to Set on Temporary CCPA/CPRA Exemptions: Employers Get Ready
by: Cynthia J. Larose
New Jersey Adopts a Comprehensive Data Privacy Law
by: Cynthia J. Larose , Jon Taylor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins