Chapter 12: Physical Safeguards | HIPAA Security Implementation, Version 1.0

12.1 INTRODUCTION

Physical security is a wide and diverse area that is often addressed in various ways by different covered entities. Many organizations use ISO 17799, a global security management standard that contains detailed security guidance, as a baseline and benchmark of comparison. Some large covered entities also use COBIT (Control Object for Information and Related Technology) developed by ISACA (Information Systems Audit and Control Association) to implement, measure and audit a physical safeguard program.

The overall objective of physical safeguards is to protect systems and data media within structures and the structures themselves from natural and environmental hazards and unauthorized access or intrusions. The level of protection needed for a covered entity is not only a compliance issue to mitigate the exposures and vulnerabilities identified in the risk analysis under the standard of Security Management Process but also a business decision to align information security to the company's business direction and strategy. Decisions made on how to address each HIPAA security standard and each 'required' and 'addressable' specification to meet compliance requirements must be made and documented in the risk management process.

Although few would question that a covered entity must implement a 'required' implementation specification as it is, many tend to believe that their organizations can do less or nothing for each 'addressable' implementation specification. Contrary to this misunderstanding, each covered entity must implement the specification as it is if reasonable and appropriate, implement an alternative equivalent security measure to accomplish the same purposes of the standard, or not implement anything if the specification is not reasonable and appropriate while the standard can still be met. Yet all decisions are subjective to the covered entity's own compliance checks and validation processes. Whether the decision is 'reasonable and appropriate' will be closely examined and measured by whether it is legally sound in a compliance audit, or in the worst case scenario, in a litigation process.

HIPAA security rule defines physical safeguards with four standards: Facility Access Controls, Workstation Use, Workstation Security, and Device and Media Controls. The four standards form a three-tier security model: facility, workstation, and device and media. Depending on the size and capability, covered entities may own, lease and even share facilities to do business. Consequently, the implementation of the first tier physical safeguard, Facility Access Controls standard, is very flexible with all four implementation specifications (i.e., Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, and Maintenance Records) being 'addressable'.

The second tier physical safeguard has two standards: Workstation Use and Workstation Security. Both are 'required' standards with no implementation specifications. Covered entities can address theses two standards together or separately. Workstation Use is to define the authorized and acceptable use of all computing devices while Workstation Security is to deploy appropriate physical safeguards to ensure that workstation is used only in the defined premise of Workstation Use.

The last tier safeguard, Device and Media Controls, is in between in terms of implementation flexibility. Disposal and Recycled implementation specifications are required since a covered entity, small or large, will face the same issue with device and electronic media. The implementation of the two 'addressable' specifications (i.e., Accountability and Data Backup and Storage) will be quite different comparing large organizations to small practices.

Basically, the policies and procedures of physical safeguards address the protection of a covered entity's physical assets that in turn protect health information from unauthorized access or intrusion. Although this may seem to be an eclectic mix of 'required' and 'addressable' implementation specifications, the standards of physical safeguards are quite flexible and scalable since all covered entities are empowered with the tools of risk analysis and risk management to explore alternatives, decide and document a 'reasonable and appropriate' approach and offer solutions to meet compliance requirements.

Many standards and implementation specifications under physical safeguards use terms like 'establish', 'implement' or 'implement as needed'. 'Establish' is to develop and authorize a policy and procedure to be used in the covered entity. 'Implement' is to put policies and procedures into operational practices through solution design, system integration and workforce training while ensuring that the policies and procedures are working properly through evaluation and audition. 'Implement as needed' applies when a covered entity can plan and prepare but cannot be executed unless a dependent situation occurs, such as contingency operations.

The term of policy and procedure is used throughout this chapter and is distinct. While policy describes only the general means for addressing a specific problem, procedure defines specific operational steps or manual steps that a worker must take to achieve a desired output. Security policy is the framework within which an organization establishes the needed levels of information security to achieve the desired confidentiality, integrity and availability goals. It is a statement of information values, protection responsibilities, and organization commitment, which is often considerably at a much higher-level than a procedure. A security procedure is documented practices to manage the selection and execution of security measures as well as the conduct of personnel in relation to the protection of data.

Some standards, namely the workstation security standard, the implementation specifications of accountability and data backup and the storage under device and media controls standard, specify certain security measures directly in lieu of implementation specifications using the polices and procedures implementation process. Although formal polices and procedures are not required in these cases, a covered entity should consider establishing and implementing documented security guidelines to ensure that such security safeguards are in place and are well documented in accordance with the standard being followed. A covered entity may be able to avoid liability of negligence, breach of fiduciary duties and failure of due care if these guidelines are implemented.