The latest newsletter from the Office for Civil Rights (OCR) highlights the importance of physical security in safeguarding protected health information (PHI).

With ransomware and hacking all over the news, many people are focused on cybersecurity issues and electronic ways to protect PHI.  However, physical security is just as important.  Thus far in 2018, there have been 13 reports to Health and Human Services that an electronic device was lost or stolen.

In the newsletter, the OCR reminds covered entities and business associates that physical safeguards are a large part of the HIPAA Security Rule.  The Security Rule specifically states that physical safeguards must be implemented to protect workstations that access PHI.  Workstations can include desktops, laptops, and mobile devices that act like a desktop for accessing medical information.

The OCR also provided some questions to think about when implementing physical safeguards:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • What additional physical security controls could be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

The OCR also provided examples of some physical safeguards, such as privacy screens on monitors, port and device locks that restrict access to USB ports, situating screens to face away from public traffic, locking portable devices in a room set up for that, and installing video cameras to record actions.

Finally, the OCR reminded covered entities and business associates that failure to implement such safeguards can possibly lead to a breach, meaning a pretty stiff fine.  Fines for the examples provided range from $250,000 to $3.9 million.


To learn more about other physical safeguards you can implement in your organization and to help better protect your organization, join HIPAAgps today.