What Are Physical Safeguards?
Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and the related buildings and equipment from natural and environmental hazards and unauthorized intrusion. They address the physical environment in which ePHI is stored, processed, and transmitted — the buildings, rooms, workstations, and devices that contain or connect to health information systems.
Physical safeguards are often underestimated compared to technical controls, but they are foundational. The most sophisticated encryption is ineffective if an unauthorized person can walk into a server room and copy data to a USB drive. Physical access to systems and devices is one of the most direct paths to ePHI exposure.
1. Facility Access Controls
Covered entities must implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Addressable implementation specifications include:
- Contingency operations — Procedures that allow facility access in support of restoration of lost data under the disaster recovery plan in the event of an emergency.
- Facility security plan — Policies and procedures to safeguard the facility and equipment therein from unauthorized physical access, tampering, and theft.
- Access control and validation procedures — Procedures to control and validate a person's access to facilities based on their role or function, including visitor control.
- Maintenance records — Policies and procedures to document repairs and modifications to the physical components of a facility related to security (e.g., hardware, walls, doors, locks).
2. Workstation Use
Covered entities must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. This means specifying how workstations are to be used — for example, requiring screen locks, prohibiting workstations from being positioned where unauthorized persons can view screens, and restricting the types of activities performed on workstations with access to ePHI.
3. Workstation Security
Physical safeguards must be implemented for all workstations that access ePHI to restrict access to authorized users. This includes restricting workstation access to authorized personnel only, using physical locks or cables for laptops, positioning monitors away from public view, and ensuring that workstations in semi-public areas (reception, nursing stations) are configured to minimize exposure of ePHI to unauthorized persons.
4. Device and Media Controls
Covered entities must implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. Implementation specifications include:
- Disposal (Required) — Implement policies and procedures to address final disposition of ePHI and the hardware or electronic media on which it is stored. Hard drives must be securely wiped or physically destroyed before disposal; paper PHI shredded; CDs and tapes physically destroyed.
- Media re-use (Required) — Implement procedures for removal of ePHI from electronic media before the media are made available for reuse.
- Accountability (Addressable) — Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
- Data backup and storage (Addressable) — Create a retrievable, exact copy of ePHI, when needed, before movement of equipment.