Using Physical Safeguards to Prevent Security Breaches

Data breaches in healthcare are increasingly common and costly, and it is well known that patient health records, with their wealth of information, are a valuable asset for identity thieves and cyber criminals.

Discussions about data breaches often focus on technology-based safeguards for preventing loss or theft of protected health information (PHI) and electronic PHI (ePHI). However, physical safeguards also are a critical component of a sound security strategy and a requirement under the HIPAA Security Rule.

The HIPAA Security Rule stipulates that covered entities and business associates must ”Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”¹ Workstations include desktop computers and portable electronic devices (e.g., laptops, tablets, and smartphones). Additionally, electronic media is covered as part of the HIPAA Security Rule.²

In a cybersecurity newsletter, the U.S. Department of Health and Human Services Office for Civil Rights stated that, ”While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked. Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”³

The risk tips in this publication focus on strategies for physically safeguarding PHI and ePHI as well as other proprietary information.

1. As part of your chiropractic practice’s security risk assessment, review physical security measures to determine potential areas of vulnerability. (Note: The HIPAA Security Rule requires covered entities and their business associates to conduct risk assessments.⁴)
2. Include physical security measures in your chiropractic practice’s written security plan as well as staff accountabilities for implementing and following policies related to physical safeguards.
3. Keep an up-to-date inventory of all electronic devices, where they are located, and their function. Move devices that are located in areas that might be vulnerable to theft or where inadvertent disclosure of information might occur.
4. Lock any storage areas that contain electronic equipment and media that contain proprietary and sensitive information. Determine who is authorized to access these areas and who will maintain the keys or access codes.
5. Strictly prohibit employees from sharing passwords and placing written passwords in easily accessible locations (e.g., taped to a computer monitor or placed in an unlocked desk drawer).
6. Consider safeguards such as security cameras, security alarms, door and file locks, and privacy screens for computer monitors. Position monitors so that they face away from public view.
7. Ensure that the chiropractic practice’s policies clearly prohibit employees from removing devices containing ePHI (e.g., laptops, tablets, etc.) from the facility, unless specifically required. The policy also should stipulate that when devices are removed from the facility with approval, they should never be left in vehicles
8. Develop protocols for disposal of electronic devices, media, and hardcopy records and information. Ensure staff members are aware of the protocols and best practices, and monitor for compliance.
9. Limit the number of people who have keys or access codes to the facility or restricted areas of the facility; do not give keys to employees who have not passed probationary periods.
10. Restrict entry to areas of the facility where patient data can be accessed; implement these restrictions during times when the areas are not in use or outside of business hours.
11. Stipulate the return of keys and facility-issued identification or access badges from employees who quit or are terminated. Employees who are fired should turn in their keys and badges immediately upon termination, and badges should be deactivated. They should not be given the opportunity to access any patient- or business-related information.
12. Change locks and access codes on facility doors if any former employees pose legitimate concerns about unauthorized access.
13. Post signs to remind employees, patients, and visitors about security policies and monitoring as well as the chiropractic practice’s commitment to privacy and confidentiality.
14. Include physical security as part of your overall security training for staff members during orientation and in-service trainings. Periodically audit your security policies for compliance and take corrective action as needed.

1. 45 C.F.R. § 164.310(c)
2. 45 C.F.R. § 164.304
3. U.S. Department of Health and Human Services, Office for Civil Rights. (2018, May). Workstation security: Don’t forget about physical security. Retrieved from www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstationsecurity.pdf
4. The Office of the National Coordinator for Health Information Technology. (2018, December 19). Privacy, security, and HIPAA: Security risk assessment. Retrieved from www.healthit.gov/topic/privacy-security-and-hipaa/security-riskassessment