HIPAA Physical Safeguards Explained, Part 2
In a previous blog post titled, HIPAA Physical Safeguards Explained, Part 1, we covered the basics of the HIPAA Physical Safeguards and the first of four standards of the HIPAA Security Rule. In this post, we’ll cover the remaining three standards: Workstation Use, Workstation Security and Device and Media Controls. If you skipped part 1 of the series, you should read that first. Otherwise, Let’s dive right in.
The Workstation Use standard states your entity must define what each workstation can be used for, how the work on the workstation is performed and the environment surrounding the workstations when they are used to access electronic protected health information (ePHI). Let’s define what a workstation is first then we will look at the policies and procedures you have to define. A workstation in the eyes of the Department of Health and Human Services, is any electronic device that can be used to access ePHI. Desktops, laptops, mobile devices and tablets are all treated as “workstations.” The definition as it is written in the Security Rule is purposely broad to account for all future devices that have not been invented yet. But you get the idea: any devices that can be used to access ePHI is considered a workstation for the purpose of this standard.
Now, let’s look at the policies you have to define for the Workstation Use standard. In broad strokes, you are asked to put policies and procedures in place to ensure secure ePHI access from electronic devices. First, define what workstations can be used for. You can be specific and state workstations can only be used to access an EHR system, used by doctors to take down patient conditions or used for doctor-to-patient communication. Or you can be broad and state workstations can be used to support the research, education, clinical, administrative, and other functions of your entity. It is also common for entities to list what can not be done on a workstation. Such as checking personal emails. When you are defining policies for this standard, you can be workstation-specific (e.g., by workstation asset ID) or location-specific (e.g., workstations in building 3) or even by workstation type (e.g., every company issued tablet).
Next, define the manner in which work is done on the workstations. For example, the patient billing system can only be used with no other software, like a web browser, running in the background. Or each user’s password for the EHR system must be a minimum of six alphanumeric characters in length, contain a combination of upper and lower case characters and with words not found in the dictionary. These are examples of policies and procedures you can put in place to ensure safe and secure access to ePHI.
Lastly, define the environment surrounding the workstations when they are used to access ePHI. You can again be very specific and restrict ePHI access to only workstations on the third floor. Or, you can describe the physical attributes of the surroundings. For example, workstations should be placed to ensure that unauthorized people don’t have unsupervised access. Or require privacy filters fitted to workstation monitors so patient information isn’t easily visible to others not using the workstation. You can also set parameters around how data is accessed. Such as, laptops can be used to access ePHI while off company property as long as they are not connected to the internet via WiFi and the connection is through a VPN. Your policies should ensure ePHI is viewed and accessed in a safe and secure environment.
A few final notes about the Workstation Use standard. When you are defining your policies and procedures, keep in mind the staff that work in satellite offices or work from their homes. You will need to have policies and procedures in place for them as well. Also don’t forget about personal electronic devices brought into the workplace or the use of personal devices from home to access ePHI. You need to have policies in place to govern these edge cases as well. By the way, it is normal to find the policies and procedures you define for the Workstation Use standard overlap with your entity’s general device use policy. This is actually pretty common and in fact, the general device use policy is a pretty good starting point for your Workstation Use policies and procedures.
The next standard, Workstation Security, is closely related to the Workstation Use standard. While the Workstation Use standard addresses the policies and procedures for how workstations should be used, the Workstation Security standard addresses how workstations are to be physically protected from unauthorized users. Every entity is different and the Security Rule again calls for reasonable and appropriate measure to be put in place by each entity. In other words, conduct your own risk analysis, and determine the level of physical security to place around each workstation. If your entity allows ePHI access from tablets, do you require users to check-out each tablet and trace down every tablet that’s not returned? Is it appropriate for your entity to place workstations with access to ePHI in locked rooms? All these are considerations you must make based on your own risk assessment.
The fourth and final standard in the Physical Safeguards is the Device and Media Controls standard. This standard has 2 required implementation specifications and 2 addressable implementation specifications. Together, this standard calls for you to “implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” Once again, let’s define what electronic media means before we dive into the four implementation specifications. In the eyes of the HHS, electronic media is any medium that can be used to store or transfer ePHI and includes: computer hard drives, removable flash drives, portable USB drives and DVDs. Technically an iPad is also considered an electronic media since you can use it to store ePHI either directly, when mapped as a portable hard drive, or indirectly using apps like Box.
The first required implementation specification is titled Disposal. Since this implementation specification is required, your entity must put in place policies and procedures to “address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.” In other words, when each electronic media reaches its end of life, your entity must properly process the electronic media and be absolutely sure all ePHI stored on the digital media is erased. There are several ways to accomplish this. One way is to degauss the electronic media. Degaussing is a process which strong magnetic field is applied to magnetic based electronic media such as a computer hard drive which will fully erase the media’s content. However, the degaussing process does not work on newer storage mediums like solid state drives and flash drives which are not magnetic based. Many academic institutions have looked for ways to effectively erase content on non-magnetic drives and many concluded the only sure method is to completely destroy the media. You need to carefully take inventory of the electronic media currently in use by your entity and come up with steps to properly erase their content before their disposal.
The next required implementation specification is titled Media Re-Use. If your entity wishes to re-use electronic medias rather than dispose of them, you are required to put plans in place to ensure all ePHI stored on the electronic medias is thoroughly removed before they are re-used. As we’ve pointed out previously, while clearing content on magnetic based storage devices is fairly trivial, clearing content on non-magnetic storage devices is much more difficult. So once again, careful review the electronic media currently in use by your entity and come up with plans to erase and re-use.
Accountability is the next implementation specification and it is marked as addressable. This implementation specification calls for your entity to keep records of movements of hardware and electronic media used for ePHI and the person accountable for the move. Being an addressable implementation specification, your entity must determine what’s reasonable and appropriate record keeping. If a server is removed from your server room for servicing or if a faulty hard drive is replaced, your entity must log the specific device involved and the person authorizing the change.
The last addressable implementation specification in this standard is called Data Backup and Storage. Before any hardware and electronic media are physically moved, create a backup of the ePHI on each media device. This ensures if anything were to happen to your hardware during a move, your ePHI is protected and loss is prevented.
So far, we have covered the Facility Access Controls in a previous blog post and Workstation Use, Workstation Security and Devices and Media Controls standards in this blog post. We hope these two blog posts shed some light on the Physical Safeguards Security Rule for you.
As always, we would like to hear from you. Would you like to share your implementation experience with us? Did we fail to mention an important point? Please email us at firstname.lastname@example.org.