In an earlier post we broke down the Administrative section if the HIPAA, looking at specifically what needed to be done to be compliant in that category. In this post we will do the same with the Physical requirements section.

The physical standards in HIPAA are a set of rules and guidelines focusing on the physical access to Protected Health Information (PHI).  In this particular section there are four basic categories.

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

When these sections are broken down, there are ten specific requirements which must be implemented to be compliant under the Physical section of the HIPAA.

Facility Access Controls

  • Contingency Operations (addressable): Create and use as needed a system of procedures that make possible the access and recovery of lost data as outlined by the disaster recovery plan in the event of an emergency situation.
  • Facility Security Plan (addressable): Polices and procedures should be in place to safeguard all physical equipment used for storage or processing of PHI against theft, tampering, and unauthorized access.
  • Access Control and Validation Procedures (addressable): Implement a system which will control and limit access to programs associated with PHI by the member’s role within the business. A system of validation should also be implemented to be sure of the user’s identity.
  • Maintenance Records (addressable): Policies and procedures regarding the documentation of any repairs or modifications to any machinery or physical components in the facility (such as walls, locks, hardware, doors, etc) should be put in place.

Workstation Use(required)

  • Policies which specify the functions to be performed, the manner in which they are performed, and the physical attributes of the surroundings of a workstation or class of workstations handling PHI should be implemented.

Workstation Security (required)

  • Physical safeguards which restrict access to only authorized users for all workstations with access to ePHI should be in place.

Device and Media Controls

  • Disposal (required): Policies addressing the final disposal of ePHI or any equipment having stored or accessed ePHI should be implemented.
  • Media Re-Use (required): Procedures regarding the removal of ePHI from any electronic media storage devices before re-use should be implemented.
  • Accountability (addressable): Maintain a record of the movements of any hardware or electronic media and those responsible for said move.
  • Data Back-Up and Storage (addressable): A readily retrievable, exact copy of ePHI should be created (as needed) before the movement of information or hardware.

When broken down from the original four categories, the physical requirements are much more simple and less daunting to those looking to make sure their business is HIPAA compliant. Each situation is unique in its own way, so if you're unsure about your businesses compliance with HIPAA, feel free to contact us at our website.

Subscribe to our mailing list

* indicates required