The U.S. Department of Health & Human Services, Office of Civil Rights (HHS-OCR) recently issued a newsletter regarding compliance with the HIPAA Security Rule’s requirements for physical security

The newsletter notes that covered entities and business associates too often overlook HIPAA’s requirements to secure protected health information (PHI) contained on “workstations.” HIPAA regulations define a “workstation” as “a computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” The newsletter emphasizes that portable electronic devices are included under this definition and instructs covered entities and business associates to implement physical security strategies for all tablets, smart phones, and similar portable electronic devices that contain PHI.

The newsletter further notes that there are many dependable and inexpensive physical security control options for such devices, including privacy screens, cable locks, port and device locks that restrict access to USB ports, and software that can be used to restrict access to USB ports. Additionally, there are multiple physical security options that do not cost anything, including positioning device screens away from locations where they could be improperly viewed, and locking equipment and media in secured areas.

The newsletter also lists the following questions that covered entities and business associates could use to assess the effectiveness of a physical security strategy:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media), including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems), and are they easy to use?
  • What additional physical security controls could be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (e.g., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

Covered entities and business associates that fail to establish reasonable physical security strategies are at risk of serious consequences. HHS-OCR investigations of alleged violations of HIPAA’s Security Rule have resulted in large fines and settlements. As an example, the newsletter highlights an OCR investigation where a hospital agreed to pay $850,000 to settle allegations that it had breached the Privacy Rule when a laptop containing PHI was stolen from an unlocked room.

The attorneys at Chilivis Grubman assist healthcare entities of all types and sizes with HIPAA-related issues, including audits, assessments, and OCR investigations. For any questions, or if we can assist you in connection with such a matter, please contact us at (404) 262-6505 or