OCR Highlights Importance of Physical Safeguards to Protect PHI
The May 2018 cyber security newsletter from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) focused on a topic often overlooked by covered entities and their business associates: physical security. The HIPAA Security Rule requires covered entities and business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
Technical safeguards like encryption and access control are often top-of-mind when dealing with ePHI, but physical safeguards are equally important in protecting information. In addition, physical safeguards are often very simple and easy to implement. For example, a computer placed in a high traffic area without a privacy screen can expose PHI to unintended recipients as they pass by, even if the computer meets all technical standards. OCR’s newsletter suggests various types of physical safeguards for electronic devices, such as using device locks to deter theft or physically restrict access to USB ports or CD/DVD drives and keeping devices in a secured area when not in use.
It should be noted that “workstations” are not limited to desktop or laptop computers. HIPAA’s definition of the term actually encompasses any device that performs a computing function similar to a laptop or desktop computer, as well as any electronic media stored therein. Therefore, the physical safeguard requirement extends to your smart phone, tablet, external hard drive, etc.
Covered entities and business associates should take stock of all of their devices that are able to access ePHI and ensure that appropriate physical safeguards are in place. Like other aspects of HIPAA, employee training remains a critical issue for physical safeguard because a privacy screen provides no physical safeguard if it is not used when an employee actually accesses ePHI. As OCR highlights in the newsletter, covered entities and business associates have had to enter into settlement agreements ranging from $250,000 to $3.9 million for violation of the physical security requirement.
The full newsletter can be found here.