HIPAA Physical Safeguards Risk Assessment Checklist

A HIPAA Physical Safeguards Risk Assessment Checklist

Nirosha Reddy

The storage of Protected Health Information (ePHI) needs to be comprehensively protected against any external leakage. There are three reviews that the handlers of this sensitive information should undertake to ease the implementation of the required safety standards. The security rule deals with security issues; technical safeguards deal with technology, and physical safeguards deal with facilities and hardware protection.

HIPAA Physical Safeguards Risk Assessment Checklist

The HIPAA Physical Safeguards Risk Review ensures that all the healthcare providers, nurses, and businesses undergo audits to guarantee compliance with the physical safeguards and thus assure safety to their clients.

HIPAA Physical Safeguards Risk Assessment Checklist

Definition of HIPAA

This body was created in 1960 with the aim of protecting information as employees moved from one company to the other. In 2003, the privacy rule was adopted by the US Department of Health and Human Services. The rule defined Protected Health Information (PHI) as any information concerning the health, treatment, or payment of healthcare of a given individual.

As technology advanced, the HIPAA security rule focusing on electronically stored PHI in 2005 which created three types of compliance safeguards; administrative (policies and procedures), physical (regulating access to healthcare data), and technical (transmission of PHI safely).

Who exactly is a healthcare provider?

As defined by HIPAA, the providers include all individuals authorized by the State to practice medicine and surgery.

What is a Covered Entity?

According to HIPAA, covered entities include health care clearinghouses, health plans, and healthcare providers who handle electronic PHI.

What is a Business Associate?

This refers to any individual/entity involved in using PHI when offering a service. May include third-party administrators or professionals who offer advisory services due to their high probability to interact with patients’ PHI.

How to Get Compliant

You’ll have to pass the risk assessment first. Your organization should use the Office of the National Coordinator for Health Information Technology to get the guidelines for the Security Risk Assessment. You should then answer the 156 questions (broken down into administrative, technical, and physical safeguards).

What are Physical Safeguards?

These are measures that any covered entity and business associate should put in place to ensure a safety of the ePHI. If unsecured, it may breach the confidentiality of the patient.

Risk Assessment

  • Start by establishing an inventory of all the physical systems (devices and media) that handle ePHI. Include the transport media.
  • Document all the facility’s location (where your organization rents, own, process, places where you collect data or storage areas of ePHI)
  • Have an inventory of all people authorized to access your facilities
  • What are the environmental factors that can destroy your information? Document them!
  • Countercheck the physical environment to ensure operations are uninterrupted
  • Determine the effects of power surges, air conditioning failure, and air filtration systems
  • Determine the effects of natural threats such as floods, fire, power loss and high temperatures to the integrity of PHI
  • Review the effects of human threat such as the unauthorized disclosure of information
  • Create a comprehensive database of the access cards, locks, doors, combinations, and keys that authorized persons should have
  • Develop and maintain records of all your workstations and electronic devices authorized to access ePHI.

Physical Access Controls Policy/Procedures

  • Develop clear policies and procedures to regulate access to all ePHI facilities. Include all output devices involved.
  • Develop policies that protect the facilities and equipment from unauthorized tampering or theft
  • Build physical protective measures such as gates, barriers, fences, and detection cameras
  • Establish procedures that restrict entrance and exit to authorized people only. Also, develop policies to access the public areas
  • Establish security features including combinations, secure key, and physical access devices
  • Determine the procedure to use for authorizing people to access inventories with ePHI. The validation should be based on the role of the authorized person.
  • Institute measures to enforce physical access authorization on all entry and exit points at ePHI facilities
  • Develop methods to only allow the workforce members and third parties who need the access to fulfill their job description indeed access the storage facilities of the ePHI
  • Develop physical access control procedures that are unpredictable (change combination regularly) and detects foul play.
  • Record all the visitors to ePHI facilities

Physical and Environmental Protection and Security Policies/Procedures

  • Develop policies and procedures for physical protection
  • Review all the organization’s needs for physical and environmental protection for guaranteed responsiveness on policies
  • Develop a facility security plan and digital media protection
  • Institute measures to regulate the receipt and removal of a media containing ePHI
  • Develop policies and procedures to address the storage, protection, accessibility, marking, and monitoring of the media that stores ePHI
  • Develop and implement tools to monitor access to the ePHI storage facility. You should have a system level security plan.

Contingency and Emergency Plan

  • Ensure that you have elaborate procedures for handling emergency situations without compromising the integrity of health information
  • Institute measures to recover the ePHI that may be lost during emergencies
  • Develop an alternative processing site to ensure continued operations. It should include the security controls tools
  • Sign the documents that guarantee the resumption of information services
  • Alternate locations should include all the equipment and supplies and security safeguards
  • Always have a copy of ePHI in the alternative location. The location should be ideal for recovery of information. Also, the locations should only allow authorized users.

Maintenance Policies/ Procedures

  • Develop policies and procedures that track all the records as well as all modifications to the physical security of ePHI locations
  • Ensure a regular maintenance program

Workstation Policies/ Procedures

  • Implement policies that detail the functionality of all workstations (including the electronic devices). Ensure proper control of the ePHI data access from output devices
  • Institute strict measures to prevent unauthorized access to workstations and all electronic devices
  • Develop an access agreement before allowing access to any party
  • Establish policy and procedures for marking media. Ensure that no unauthorized person enters the station during configuration and position of electronic devices
  • Ensure that the workstations are away from areas open to the public and store all electronic devices in those areas
  • Have detailed guidelines for access of ePHI via mobile devices

Remote Access Devices and Information Movement

  • Have proper records for hardware and electronic media movement. Also, track record of all handlers of ePHI during movement
  • Document the safety measures of the transportation medium you adopt
  • Record all transfer of hardware and electronic media that requires signed access agreements before accessing the ePHI
  • During movement, ensure elaborate backup plans for the health information.

Record Retention and Destruction

  • Document all the procedures involved in safely disposing of media containing ePHI. This should include transportation and sanitize.
  • Implement guidelines for ePHI final disposition
  • Ensure that you develop measures necessary for removing sensitive information before the devices can be reused

Internal and External Audit

  • Test emergency procedures regularly
  • Ensure that you conduct a periodic review to discontinue the access of users who no longer need access
  • Regularly review the visitors’ records (those who access the ePHI)
  • Regularly check the access database to ascertain that no unauthorized individual access the database
  • Ensure regular maintenance and repair of the facilities. Modifications to enhance security is also necessary
  • Regularly review the inventories of workstations and all the electronic devices that can access the sensitive health information
  • Undertake a regular review of the location of your information systems to determine it vulnerability
  • Maintain the records of all the individuals who access or remove the media

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − 13 =