Physical security applies to the controls you place in the environment to stop someone from gaining access to the information you are protecting. There are four standards with four required implementation specifications and six addressable implementation specifications

2.8.1 Facility Access Controls (Standard)

This standard addresses the procedures and policies necessary to limit physical access to ePHI.

Contingency Operations (Addressable)

Your organization has to look at who is allowed access to the facility to begin restoration of information systems following a disaster or emergency. What actions are taken to secure the ePHI during this phase of recovery?

Facility security Plan (Addressable)

Covered entities must have a plan to protect the facility and information system equipment in the facility that has ePHI. This protection plan must prevent unauthorized physical access, tampering, and theft of the information.

2.8.2 Workstation Use (Standard)

This standard addresses how you define a work station environment and the proper uses and functions of this environment. Is billing performed on the same workstation where clinical records are maintained ? Are some workstations used by physicians and others by support professionals, (lab techs, nurses, etc)?

2.8.3 Workstation Security (Standard)

What physical safeguards do you have in place to prevent unauthorized access to ePHI? Are all workstations located in a physically secure location? Do employees need keys to access the facility where workstations are located?

2.8.4 Devise and Media Controls (Standard)

You are upgrading all your computers? What do you do with the old hard drives once you verified the accuracy of all transferred ePHI? Do you sell them on eBay? There are two required and four addressable implementation specifications for this standard

Disposal (Required)

Your covered entity must look at how to dispose of all electronic media that held ePHI so it remains confidential.

Media Re-use (Required)

You must decide how to remove all traces of ePHI on electronic media before the media is reused in your organization.

Accountability (Addressable)

Inventory control of all equipment and media with ePHI and an audit trail of who had access to the equipment. This includes users and technicians who may have repaired the equipment.

Data Backup and Storage (Addressable)

Covered entities need to have a retrievable exact copy of ePHI. This is particularly important when the information system architecture changes and you are moving equipment from one location to another.

HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net