Device and Media Controls

The Device and Media Controls portion of the Physical Rules requires that agencies implement procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility and the movement of these items within the facility.

This rule has 4 tasks, 2 are required and 2 are addressable. In general, they cover the handling of servers and/or workstations and any type of backup media such as tapes, disks, hard disk drives, electronic storage, etc. that contain EPHI.

Workstation Security

The Workstation Security Rule requires agencies implement physical safeguards for all workstations that access EPHI to restrict access to authorized users.

Access to Authorized Users is the key here. Unique user names, strong passwords, antivirus software, anti Spyware software, Firewalls, password protected screen savers are all examples of how this rule must be complied with.

Workstation Use

The next item under the Physical Rules section is Workstation Use. Agencies must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI.

Basically, the requirement here is to protect the workstations that have access to EPHI. This can include many things. Passwords, anti-spyware, firewalls, etc all protect the workstation. You must specifically indicate to users the proper use of the workstation in order to maintain the security of the EPHI data. Indicate that NO software may be installed, no data may be removed, passwords must not be shared, etc. Also indicate that the user must log off his/her workstation when leaving their desk.

Facility Access Controls IV

The last addressable task under Facility Access Controls is Maintenance Records. This task requires that agencies implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (hardware, walls, doors, and locks).

You must document any repairs or changes to physical things that affect the security of your premises. Document the date, what was done, by whom, and anything else that is relevant. You should have the vendor sign off on this.

Facility Access Controls III

The next Facility Access Control task is also addressable. Access Control and Validation Procedures require agencies implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

This task can cover a lot of ground. First, how do you handle visitors? If you are a small organization it may be through your reception desk. Smaller organizations can manage this task more easily as visitors are easy to spot. Larger organizations may need badges or even escorts to meet this task. Do cleaning people have access to your servers or workstations? Are they specifically not allowed to access these areas? Do you have any internal or outsourced software development? What controls do you need to prevent these users from accessing protected EPHI?

Facility Access Controls II

The next Facility Access Controls task is to implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. This is an addressable task.

This covers locks, automated entry systems, fire alarms, etc as required to protect your specific EPHI facilities.

Facility Access Controls

This task requires that agencies implement policies and procedures to limit physical access to its Electronic Information Systems and the facility which they are housed, while ensuring properly authorized access is allowed.

There are 4 addressable tasks under this section. The first is Contingency Operations which states that you must establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

If there is a disaster or an emergency, how would you restore access to your EPHI. Do the proper personnel have access to your building or the alternative location? Who will manage this process? Will you need outside vendors? How will they be authorized?

HIPAA Security Rule - Physical Section

The Administrative section of the HIPAA security Rule covers administrative issues, including user authorization, passwords, and other policies. The Physical section covers items related to your physical buildings, computer hardware etc. Some of the tasks are redundant between the two sections.

There are several items under this section which we will explore over the next couple of weeks. In the meantime, do you have your security officer named? Have you evaluated what must be done to comply with the Administrative Section? How many days are left before April 20th?