HIPAA Physical Security Guidance
Under HIPAA regulation, security safeguards are an important part of keeping your behavioral health business safe. Recently, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released new guidance reinforcing the importance of HIPAA Physical Security safeguards for health care professionals across the country.
But how can behavioral health professionals adequately address their HIPAA physical security standards while maintaining and growing their business?
Understanding HIPAA Security
Under the HIPAA Security Rule, health care professionals are required to address regulatory standards meant to safeguard the use and transmission of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, date of birth, telephone number, email address, Social Security number, medical record, and full facial photo, to name a few.
The HIPAA Security Rule identifies three different kinds of safeguards that must be addressed to ensure the confidentiality, integrity, and availability of PHI. These safeguards include:
- Technical Safeguards to protect electronic use and transmission of data
- Physical Safeguards to protect premises where PHI is stored
- Administrative Safeguards to ensure that members of the workforce are properly trained to implement all security standards
HHS Reinforces HIPAA Physical Security
HHS released new guidance to reinforce the importance of HIPAA Physical Security safeguards for health care providers. Physical Security safeguards are an often overlooked component of the regulation that can have a huge impact on maintaining the safety of patient information.
Headlines detailing cyber-security incidents and ransomware or malware incidents are becoming more and more popular. And because of the threat to PHI maintained in a digital format, it makes sense that health care providers are focusing on cyber-security measures. However, this new HHS physical security guidance underscores the importance of having protections in place as well.
Although PHI is being maintained in an increasingly digital fashion with electronic health records (EHR) platforms, those platforms maintaining that data are ultimately operated through physical servers. Those servers may be stored off-site at a third-party data hub, or on a smaller scale within a health care provider’s physical office.
In either case, HIPAA regulation mandates that health care professionals implement HIPAA physical security safeguards to protect these servers–or any devices–that maintain PHI. Even laptops or computer systems that can access PHI must be physically secured to prevent theft and ultimate data loss.
Implementing HIPAA Physical Security safeguards is an essential component of creating an effective compliance program to protect your practice against data breaches and HIPAA fines.