This is a question many doctors, dentists, chiropractors and other covered entities ask themselves. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, certain businesses (known as covered entities) that collect and/or handle patient information must implement administrative, technical and physical safeguards. When you're busy focusing on administrative and technical safeguards, you may overlook the physical ones.

The U.S. Department of Health & Human Services (HHS) defines “physical safeguards” as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.” So in other words, it's the use of physical – not digital – measures and policies to protect patient information from being accessed by unauthorized individuals.

One of the most obvious measures classified as a physical safeguard is the use of locked doors leading to a covered entity's computer workroom. If patients and their families are allowed to walk right by a computer, there's an increased risk of a data breach. Computers on which Protected Health Information (PHI) is stored should be located in a locked room rather than out in the open, assuming it's both reasonable and appropriate.

Privacy screen barriers are another type of physical safeguard commonly used by covered entities. As the name suggests, these devices are placed over an existing computer screen or monitor to prevent nearby individuals from seeing it. Once attached, the privacy screen will ensure that only the person or persons directly in front of the monitor can see what's being displayed. If computers are placed in a waiting area where patients commonly sit, a privacy screen barrier should be used. However, computers stored in a locked workroom don't need privacy screen barriers since they are already out of plain sight.

Of course, there are some lesser-known physical safeguards as well, such as the use of security guards, video surveillance cameras, alarm systems, and locked windows. While HIPAA does not require any specific type of physical safeguard, it's the covered entity's responsibility to implement measures best suited for their business.

HIPAA requires the deployment of physical safeguards for all computer workstations on which PHI is accessed and/or stored. Hopefully, this will give you a better understanding of some of the different physical safeguards and their respective purpose.

Subscribe to our mailing list

* indicates required