Control Physical Access | HIPAA | HITECH

10. Control Physical Access

Not only must assets like files and information be secured; the devices themselves that make up an EHR system must also be safe from unauthorized access. The single most common way that electronic health information is compromised is through the loss of devices, whether this happens accidentally or through theft. Incidents reported to the Office for Civil Rights show that more than half of all these data loss cases consist of missing devices, including portable storage media (e.g., thumb or flash drives, CDs, or DVDs), laptops, handhelds, desktop computers, and even hard drives ripped out of machines, lost and stolen backup tapes, and entire network servers.

Should a data storage device disappear — no matter how well an office has taken care of its passwords, access control, and file permissions — it is still possible that a determined individual could access the information on it. Therefore, it is importaprotection should be focused on preventing unauthorized individuals from accessing the server (e.g., storing the server in a locked room accessible only to staff). Environmental protections should focus on protecting the server from fire, water, and other elements (e.g., never store a server in a restroom; instead store the server off the floor, away from water and windows, and in a temperature-regulated room). Download Physical Access Checklist12nt to limit the chances that a device may be tampered with, lost, or stolen.

Securing devices and information physically should include policies limiting physical access, e.g., securing machines in locked rooms, managing physical keys, and restricting the ability to remove devices from a secure area.

Where should I place my server that stores electronic health information?

When considering where to locate a server containing electronic health information (such as within an EHR), two main factors should be considered: physical and environmental protection. Physical protection should be focused on preventing unauthorized individuals from accessing the server (e.g., storing the server in a locked room accessible only to staff). Environmental protections should focus on protecting the server from fire, water, and other elements (e.g., never store a server in a restroom; instead store the server off the floor, away from water and windows, and in a temperature-regulated room).

Download Physical Access Checklist12

Physical Access Checklist

 Policies are in place prescribing the physical safety and security of devices.

 All staff members understand and agree to abide by physical access policies and procedures.

 All devices containing Protected Health Information (PHI) are inventoried and can be accounted for.

 Computers are protected from environmental hazards.

 Physical access to secure areas is limited to authorized individuals.

 Computers running Electronic Health Record (EHR) systems are shielded from unauthorized viewing.

 Equipment located in high-traffic or less secure areas is physically secured.