When researching the different ways to prevent the unauthorized disclosure of Electronic Protected Health Information (EPHI), you may come across the term “physical safeguard.” The Health Insurance Portability and Accountability Act (HIPAA) specifically mentions physical safeguards in its Security Rule, requiring all doctors, chiropractors, dentists, and other covered entities to implement them. But what exactly is a physical safeguard?
Physical Safeguards Defined
According to the Department of Health and Human Services (HHS), a physical safeguard is any physical measure, policy or procedure that is intended to protect a covered entity's data and equipment from natural hazards, environmental hazards, and unauthorized intrusion. This is in stark contrast to technical safeguards, which are intangible measures as opposed to tangible/physical.
Examples of Physical Safeguards
The HHS doesn't specifically require covered entities to use certain physical safeguards, but rather it allows them to use their own discretion when choosing and implementing such safeguards. So, what are some common examples of physical safeguards? They may include facility access controls (locked doors, keypad entry systems, etc.), as well as workstation station, media controls, and workstation use. Assuming the safeguard is tangible and is used for the purpose of preventing the unauthorized use or access of EPHI, it can be classified as a physical safeguard.
What if My Data is Stored Off Premise?
Don't assume that your healthcare practice isn't required to implement physical safeguards just because a third-party organization stores and handles your data. Whether patient data is stored on-site or off-site, covered entities must still implement meaningful and appropriate physical safeguards as per the HIPAA Security Rule.
In the event that a third-party organization is responsible for storing your EPHI, you must create a Business Associates Agreement (BAA). This HIPAA-related document outlines the way in which the entity will use your EPHI. The OCR has cracked down on covered entities who fail to create BAAs in recent years, slapping them with hefty fines. Don't let your healthcare practice become a target during the next round of HIPAA audits. Set up BAAs with each and every associate with whom you do business.
Don't Forget the Technical Safeguards
Equally as important as physical safeguards are technical safeguards. As we mentioned earlier, technical safeguards differ from their physical counterpart in the sense that they are intangible, meaning you cannot see or touch them. Examples of technical safeguards may include encryption software, firewalls, unique worker identification numbers, and proactive network monitoring for suspicious activity.