What You Should Know on HIPAA’s Physical Safeguards Ruling
_{April 19, 2018}

One of the first lines of defense for any organization is the physical layer.  This primarily includes the controls around the physical access to the facility or structures that may store protected health information (PHI).  These safeguards also involve the controls surrounding procedures and maintenance of documents or hardware that contain PHI.  The HIPAA Security Rule categorizes physical safeguards into two (2) major areas:

1. Facility Access Controls
2. Device / Media Controls

Both of these have several subsections under it which are either required or addressable under the HIPAA Security Rule.

Just to clarify a bit more about ‘addressable’ and ‘required’policies and procedures, note that HIPAA Security Final Rule is composed of Standards (what must be done) and Implementation Specifications (how it must be done) for creating policies, procedures and practices to prevent, detect, contain and correct security violations.  These Implementation Specifications are either required or addressable.

“Required” implementation specifications as the term suggest means that it is a must.  While for Addressable implementation specifications, covered entities must perform an assessment first to determine whether the specification is a reasonable and appropriate safeguard in the CE’s environment.  One of these three steps may be done by the CE once it has done its assessment regarding the addressable implementation specifications:

1. Implement the addressable implementation specification as stated;
2. Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
3. Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

These assessments must be properly and completely documented as well as the decisions that the Covered Entity or the Business Associate has arrived.

Now, going back to the Physical Safeguards that must be put in place within the organization, covered entities must refer to the following references for further information related to Facility Access Controls:

• NIST SP 800-53 PE-1 Physical and Environmental Protection Policy and Procedures
• NIST SP 800-53 PE-2 Physical Access Authorizations
• NIST SP 800-53 PE-3 Physical Access Control
• NIST SP 800-53 PE-4 Access Control for Transmission Medium
• NIST SP 800-53 PE-5 Access Control for Output Devices
• NIST SP 800-66 4.10 Facility Access Controls
• NIST SP 800-66 4.10.1 Conduct an Analysis of Existing Physical Security Vulnerabilities
• NIST SP 800-66 4.10.2 Identify Corrective Measures

As for the Device and Media Controls, the following references can be consulted:

• NIST SP 800-12 – Chapter 14       An Introduction to Computer Security: The NIST Handbook
• NIST SP 800-14                               Generally Accepted Principles and Practices for Securing Information Technology Systems
• NIST SP 800-34                               Contingency Planning Guide for Federal Information Systems
• NIST SP 800-53                               Security and Privacy Controls for Information System and Organizations

As stated earlier, HIPAA Physical Safeguards are a critical piece to a healthcare organization’s larger data security plan.  They must be implemented in a way that balances and works with administrative and technical safeguards.  The organization must look at their day-to-day operations and workflow needs to determine what the best practices are for physical safeguards, and then ensure that employees at all levels adhere to them.