Covered Entities Are Reminded Not to Neglect Physical Security Controls

Ransomware Attack

The Department of Health and Human Services’ Office for Civil Rights (OCR) is reminding HIPAA covered entities that they should not only focus on technical controls but on physical security controls to safeguard protected health information (PHI).

The simplest way to protect PHI privacy is to implement physical controls, but this is often neglected. It actually doesn’t cost much – if anything – to ensure that portable electronic devices like laptop computers, pen drives and portable storage devices are secured when not in use. If done conscientiously, this basic form of security is an effective way of preventing theft but can be very costly when neglected.

In 2016, Feinstein Institute for Medical Research paid $3.9 million to settle potential HIPAA violations with OCR. A laptop that contained 13,000 patients’ PHI was stolen from an employee’s vehicle. The University of Mississippi Medical Center also paid $2,750,000 in the same year to settle its HIPAA violations, which related to the failure to secure an unencrypted laptop computer with the ePHI of about 10,000 patients. The device was stolen from its Medical Intensive Care Unit.

In 2015, Lahey Hospital and Medical Center paid $850,000 after it failed to use appropriate physical security controls that could have prevented the theft of an unencrypted laptop computer used with a computerized tomography CT scanner and the exposure of 599 patients’ PHI.

In 2014, QCA Health Plan paid OCR $250,000 to settle potential HIPAA violations. In that case, QCA had failed to physically secure an unencrypted laptop computer, which was stolen from an employee’s vehicle.  In 2012, Massachusetts Eye and Ear Infirmary (MEEI) paid $1.5 million to OCR. An unencrypted laptop computer was stolen resulting in the inadvertent disclosure of ePHI. Appropriate physical controls could have prevented the theft.

HIPAA covered entities and business associates need to implement physical controls on workstations (laptops, desktop computers, portable storage devices, tablets and smartphones) and restrict ePHI access to authorized users only. HIPAA does not dictate what type of physical security control to implement, which should be guided by risk analysis and risk management processes.

Physical security controls are an essential element of HIPAA compliance and include some of the most cost effective – and effective – ways of securing PHI.  These measures include:

  • Positioning desks in such a way that screens are not viewable to anyone other than the user
  • Using privacy screens to prevent shoulder surfing
  • Using cable locks to prevent electronic devices from being stolen
  • Installing security cameras to deter thieves
  • Posting signage to remind employees about physical security controls
  • Using port and device locks to prevent copying of ePHI using CD/DVD drives and USB connections