How to be HIPAA Compliant – Physical Safeguards

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, otherwise known as the Kennedy-Kassebaum Act, is an act that sets the standards when it comes to the protection of Protected Health Information (PHI), insurance providers, health care providers and employers.

If a business is involved in handling patient information, like clinics, hospitals, or insurance providers, they are required to comply with the set standards of HIPAA to ensure the security of sensitive information. This will diminish the cases of health care fraud.

To become HIPAA Compliant, one must be familiar with the rulings of the HIPAA. Two of these rulings are the Privacy Rule and the Security Rule. The Privacy Rule mainly involves any information, whether in paper or electronic, while the Security Rule is principally involved with Electronic Protected Health Information, or EPHI. Under the Security Rule are three safeguards that are needed so that a company can be compliant: Administrative Safeguards, Technical Safeguards, and Physical Safeguards.

We’re going to pay close attention to Physical Safeguards. Security rule defines physical safeguard as “physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The standard policies and procedures for Physical Safeguards are:

• Facility Access Controls – the goal is to “Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

There are four implementation specifications under Facility Access Controls, all of which are addressable:
1. Contingency Operations
2. Facility Security Plan
3. Access Control and Validation Procedures
4. Maintenance Records

• Workstation Use – “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

• Workstation Security – “Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”

• Device and Media Controls – “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”

There are four implementation specifications under Device and Media Controls, two of which are required and two of which are addressable:
1. Disposal (Required)
2. Media Re-Use (Required)
3. Accountability (Addressable)
4. Data Backup and Storage (Addressable)

If you own or manage a business that needs to be HIPAA compliant, specifically with Facility Access Controls, ACIS® IT Solutions can help you. We install Access Control Systems that complies with all standards and policies set by the HIPAA. Our Access Control Systems are used to protect network data, files, or even physical rooms. We can ensure that our system can protect against threats to information security, avoid unauthorized disclosure, and implement appropriate security measures and compliance systems.

Contact ACIS® IT Solutions for your HIPAA compliance needs. (417) 823-7100