Physical Safeguards for HIPAA, Part 2: Workstation Use
By Gil Vidals, , HIPAA Blog

In part 1 of this series, we learned that a laptop containing sensitive, protected health information (PHI) was stolen from the car of a West Virginia Health System employee. To make matters worse, the hard drive containing PHI was unencrypted, leaving the data open to access by unauthorized users.

While unfortunate, the occurrence does serve to highlight key issues concerning HIPAA security. As we saw previously, regulations pertaining to data encryption and facility access security must be reviewed thoroughly, and robust security policies (including locks on doors, cameras, restricted area signs, etc.) applied. Closely related to this is the question, “What really constitutes a secure “workstation” in HIPAA terms? And why does it matter?’

It matters, first of all, because those who have been entrusted with personal health information must do all they can to protect it from those who would abuse it. This is why HIPAA-covered entities are required to implement physical safeguards on all workstations that have access to PHI – even if their data is in the cloud – in order to limit access only to authorized users.

It matters too because mobile devices and laptops are increasingly relied on to facilitate remote work – and these devices are often overlooked when it comes to applying the appropriate protections. This is why the HIPAA Security Rule defines a workstation as:

“…an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” (See HIPAA Standard § 164.310(b) and (c) – Workstation use and security).
Note that “media,” according to HIPAA Standard § 164.310(d)(1) on Device and Media Controls, is defined as: “electronic storage media including memory devices in computers (hard drives) and any removable or transportable digital memory media such as magnetic tape or disk, optical disk, or digital memory card.”

In summary then, here are the basic specifications:

1. Disposal (Required) – The goal, as noted in HIPAA is rendered “unusable and/or inaccessible,” with full erasure of the data.

2. Media Re-Use (Required) – ePHI must be permanently removed from all media, including laptops or USB sticks, before re-use.

Regarding the transport of these devices, HIPAA security also provides for the implementation of:

“…policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronically protected health information, into and out of a facility, and the movement of these items within the facility.” Essentially, this means there must be:

3. Accountability (Addressable) – Providers must audit all data movement and provide documentation of each location the data is stored.

4. Data Backup and Storage (Addressable) – Whether an onsite, backup hard drive, or a cloud-based backup is utilized, providers must have a plan to store the data elsewhere in the event of an attack.

HIPAA-covered entities should know that the U.S. Department of Health and Human Services has levied significant fines for violations of Device and Media controls, in some cases amounting to millions of dollars. It is incumbent upon these covered entities to review and implement these regulations before sensitive data breaches occur.