Physical Safeguards
Physical Safeguards is the second section of the HHS Security Matrix. The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Facility Access Controls 45 CFR § 164.310(a)(1) The physical safety of the facility is extremely important. Every organization must ensure the data is always protected. All the while allowing authorized access when needed.
Contingency Operations 45 CFR § 164.310(a)(2)(i) Organizations must establish procedures to allow access to the facility during the restoration stages of ePHI..
Facility Security Plan 45 CFR § 164.310(a)(2)(ii) You must document your physical access controls and ensure only authorized persons access your facility or systems that house ePHI.
Access Control and Validation Procedures 45 CFR § 164.310(a)(2)(iii) Knowing who has been in your facility or access to a system that houses ePHI is critical. Depending on the size of your organization it may be necessary to ask for ID each time someone visits your facility or have them sign in/out.
Maintenance Records 45 CFR § 164.310(a)(2)(iv) A maintenance log of security repairs will assist in documenting your efforts to keep the facility secure. This is especially helpful when an employee no longer needs access to the facility and locks, or security codes have been changed.
Workstation Use 45 CFR § 164.310(b) Inappropriate use of any device that accesses ePHI puts your organization at risk. When you clearly define what employees are permitted and not permitted to do with their workstations, you strengthen your ability to protect patient data. For instance, staff members should not be allowed to charge their smart phones by using the USB port and no unauthorized use of ANY flash drive should be permitted due to the risk of infection of malware. Your policies and procedures should also include which workstations or devices are permitted to access ePHI and those that are not. Be sure to include home computers used to access ePHI. Most home computers are not secure and may have malware since they are not typically maintained by an IT professional. This can infect or even steal your data.
Let Aris work with you for an easy online path to HIPAA compliance