Physical Safeguards for HIPAA, Part 1: Facility Access

By Gil Vidals, September 24, 2018, HIPAA Blog

A recent, potential breach of protected health information (PHI) – including social security numbers, financial information, and medical data – was reported by a major health system in West Virginia. The cause? A stolen laptop, taken from an employee’s car.

Despite equipping the laptop with security tools (including password protection), the health system failed to encrypt the laptop’s hard drive, allowing unauthorized users potential access to the sensitive, PHI data of over 40,000 patients.

Far from being overly restrictive, the HIPAA Security Rule was intended for just such situations; namely, to help organizations protect patients from having their personal Information divulged or held hostage for illicit gain. The rule defines safeguards to include “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Clearly, the physical encryption of a computer hard drive should be a mandatory practice if PHI data is being stored. Perhaps a related question is, ‘How could an unprotected laptop containing PHI leave a facility in the first place?’ Chances are, the employee intended to work remotely, and the health system believed they had enough protections in place. A more thorough consideration of the security rule, however, would have addressed both hard drive encryption, and the company’s responsibility to:

“…implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.”

A closer look reveals that the Facility Access Controls Standard has four implementation specifications:

1. Contingency Operations (Addressable) – “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan, and emergency mode operations plan in the event of an emergency.”

2. Facility Security Plan (Addressable) – “Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft (locked doors, restricted area warning signs, cameras, alarms, security services, personnel and property controls, etc.)”

3. Access Control and Validation Procedures (Addressable) – “Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, (validating a person’s access to facilities based on their role or function) and control of access to software programs for testing and revision.”

4. Maintenance Records (Addressable) – “Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).”

While each of these four facility specifications is “addressable,”(meaning that the specifics of the implementation may vary depending on the entity and precise requirements), protecting electronically protected health information (EPHI) means, at minimum, implementing “reasonable and appropriate physical safeguards related to equipment and facilities.”

In Part 2 of this series, we’ll take a closer look at specific procedures related to workstation use.