Physical security applies to the controls you place in the environment to stop someone from gaining access to the information you are protecting. There are four standards with four required implementation specifications and six addressable implementation specifications
This standard addresses the procedures and policies necessary to limit physical access to ePHI.
Your organization has to look at who is allowed access to the facility to begin restoration of information systems following a disaster or emergency. What actions are taken to secure the ePHI during this phase of recovery?
Covered entities must have a plan to protect the facility and information system equipment in the facility that has ePHI. This protection plan must prevent unauthorized physical access, tampering, and theft of the information.
This standard addresses how you define a work station environment and the proper uses and functions of this environment. Is billing performed on the same workstation where clinical records are maintained ? Are some workstations used by physicians and others by support professionals, (lab techs, nurses, etc)?
What physical safeguards do you have in place to prevent unauthorized access to ePHI? Are all workstations located in a physically secure location? Do employees need keys to access the facility where workstations are located?
You are upgrading all your computers? What do you do with the old hard drives once you verified the accuracy of all transferred ePHI? Do you sell them on eBay? There are two required and four addressable implementation specifications for this standard
Your covered entity must look at how to dispose of all electronic media that held ePHI so it remains confidential.
You must decide how to remove all traces of ePHI on electronic media before the media is reused in your organization.
Inventory control of all equipment and media with ePHI and an audit trail of who had access to the equipment. This includes users and technicians who may have repaired the equipment.
Covered entities need to have a retrievable exact copy of ePHI. This is particularly important when the information system architecture changes and you are moving equipment from one location to another.