Using Physical Safeguards to Prevent Security Breaches
Patient Safety & Risk Solutions
November 12, 2021
Reading time: 3 minutes
Data breaches in healthcare are increasingly common and costly, and it is well known that patient health records, with their wealth of information, are a valuable asset for identity thieves and cyber criminals.
Discussions about data breaches often focus on technology-based safeguards for preventing loss or theft of protected health information (PHI) and electronic PHI (ePHI). However, physical safeguards also are a critical component of a sound security strategy and a requirement under the HIPAA Security Rule.
The HIPAA Security Rule stipulates that covered entities and business associates must ”Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”1 Workstations include desktop computers and portable electronic devices (e.g., laptops, tablets, and smartphones). Additionally, electronic media is covered as part of the HIPAA Security Rule.2
In a cybersecurity newsletter, the U.S. Department of Health and Human Services Office for Civil Rights stated that, ”While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked. Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”3
The risk tips in this publication focus on strategies for physically safeguarding PHI and ePHI as well as other proprietary information.
- As part of your chiropractic practice’s security risk assessment, review physical security measures to determine potential areas of vulnerability. (Note: The HIPAA Security Rule requires covered entities and their business associates to conduct risk assessments.4)
- Include physical security measures in your chiropractic practice’s written security plan as well as staff accountabilities for implementing and following policies related to physical safeguards.
- Keep an up-to-date inventory of all electronic devices, where they are located, and their function. Move devices that are located in areas that might be vulnerable to theft or where inadvertent disclosure of information might occur.
- Lock any storage areas that contain electronic equipment and media that contain proprietary and sensitive information. Determine who is authorized to access these areas and who will maintain the keys or access codes.
- Strictly prohibit employees from sharing passwords and placing written passwords in easily accessible locations (e.g., taped to a computer monitor or placed in an unlocked desk drawer).
- Consider safeguards such as security cameras, security alarms, door and file locks, and privacy screens for computer monitors. Position monitors so that they face away from public view.
- Ensure that the chiropractic practice’s policies clearly prohibit employees from removing devices containing ePHI (e.g., laptops, tablets, etc.) from the facility, unless specifically required. The policy also should stipulate that when devices are removed from the facility with approval, they should never be left in vehicles
- Develop protocols for disposal of electronic devices, media, and hardcopy records and information. Ensure staff members are aware of the protocols and best practices, and monitor for compliance.
- Limit the number of people who have keys or access codes to the facility or restricted areas of the facility; do not give keys to employees who have not passed probationary periods.
- Restrict entry to areas of the facility where patient data can be accessed; implement these restrictions during times when the areas are not in use or outside of business hours.
- Stipulate the return of keys and facility-issued identification or access badges from employees who quit or are terminated. Employees who are fired should turn in their keys and badges immediately upon termination, and badges should be deactivated. They should not be given the opportunity to access any patient- or business-related information.
- Change locks and access codes on facility doors if any former employees pose legitimate concerns about unauthorized access.
- Post signs to remind employees, patients, and visitors about security policies and monitoring as well as the chiropractic practice’s commitment to privacy and confidentiality.
- Include physical security as part of your overall security training for staff members during orientation and in-service trainings. Periodically audit your security policies for compliance and take corrective action as needed.
- 45 C.F.R. § 164.310(c)
- 45 C.F.R. § 164.304
- U.S. Department of Health and Human Services, Office for Civil Rights. (2018, May). Workstation security: Don’t forget about physical security. Retrieved from www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstationsecurity.pdf
- The Office of the National Coordinator for Health Information Technology. (2018, December 19). Privacy, security, and HIPAA: Security risk assessment. Retrieved from www.healthit.gov/topic/privacy-security-and-hipaa/security-riskassessment
Additional Risk content
Accurate and thorough documentation is the backbone of a sound approach to risk management; it provides essential patient information, historical…
The Benefits of a Personal Electronic Device Policy in Chiropractic Practices
More than ever, people are using personal electronic devices (PEDs) — such as laptops, smartphones, tablets, e-readers, and other ‘smart’…
Environmental Emergency Preparedness for Healthcare Practices
Environmental emergencies — such as tornadoes, hurricanes, floods, blizzards, fires, chemical spills, radiation exposure, etc. — can have short-term or…
This document should not be construed as medical or legal advice. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.
MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and/or may differ among companies.
© 2023 MedPro Group Inc. All rights reserved.