In its monthly Cybersecurity Newsletter at the end of May, the Office of Civil Rights (OCR) of the United States Department of Health and Human Services pointedly reminds us of the need to be conscious of some fundamental physical safeguards for cybersecurity. The HIPAA Security Rule has a provision devoted to physical security, but as the OCR newsletter points out, “physical security is an important component of the HIPAA Security Rule that is often overlooked.” One aspect of security that is lurking in plain sight is the workstation.

The Security Rule addresses physical security in 45 C.F.R § 164.310, which focuses on two key areas: 1) controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and 2) protecting the individual system components like workstations.

The May OCR newsletter highlights some important issues relating to the workstations that handle PHI. To put this in context, let’s start with some basic concepts:

The Security Rule requires organizations to adopt policies specifying the functions to be performed at a Workstation, and addressing the design or configuration of any area where a Workstation will be in use. It is important to remember that the risk analysis and the resulting policies should consider circumstances where the Workstation is in use out of the office, for instance when an individual is working on a portable device like a laptop at home or on the road. The Workstation policy must account for all likely use scenarios.

The Security Rule also identifies physical safeguards for Workstations, including device and media controls to restrict the use and movement of portable electronic media; and the May Newsletter highlights several key steps that each organization should address:

The HIPAA Security Rule recognizes, in 45 C.F.R § 164.306, that as part of its risk analysis, each organization has the leeway to gauge its security risks and weigh the costs of implementing particular protections against the risks it has identified to assess whether particular measures make sense. OCR reiterates this in its May Newsletter: “What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process.”

However, OCR’s May newsletter also pointedly emphasizes that many safeguards for workstations “are available at little or no cost.” It specifically mentions privacy screens to prevent inappropriate peripheral viewing, and cable locks on devices to prevent theft, as two items that can be purchased for $20 to $40; and also notes that devices restricting access to computer ports and drives are also inexpensive. So with this message from the May newsletter, OCR clearly is nudging each organization affected by HIPAA to take another careful look at its Workstation policies and the measures that can be taken to protect the PHI that is stored and processed on this ubiquitous component in every IT system.

◀︎ Back to Thought Leadership