publications full of ideas

OCR Reminds Us about a Fundamental Aspect of Physical Security for PHI


In its monthly Cybersecurity Newsletter at the end of May, the Office of Civil Rights (OCR) of the United States Department of Health and Human Services pointedly reminds us of the need to be conscious of some fundamental physical safeguards for cybersecurity. The HIPAA Security Rule has a provision devoted to physical security, but as the OCR newsletter points out, “physical security is an important component of the HIPAA Security Rule that is often overlooked.” One aspect of security that is lurking in plain sight is the workstation.

The Security Rule addresses physical security in 45 C.F.R § 164.310, which focuses on two key areas: 1) controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and 2) protecting the individual system components like workstations.

The May OCR newsletter highlights some important issues relating to the workstations that handle PHI. To put this in context, let’s start with some basic concepts:

  • The “Workstation” concept, under the Security Rule, includes not only each electronic computing device that stores or processes PHI, but also nearby electronic media.
  • The Security Rule has Standards that establish criteria with which an organization must comply, as well as Implementation Specifications with more detailed guidance.
  • The Security Rule denotes some implementation specifications as “Required,” and others that are “Addressable.” The required points are mandatory, but “Addressable” does not mean “ignorable.” An organization still must assess Addressable implementation specifications, weigh the costs of implementation, and must then also document the conclusion reached in the assessment on whether to implement.
  • The Risk Analysis: Among the Required administrative safeguards in the HIPAA Security Rule is a risk analysis, in which the organization assesses the risks to its PHI – specifically, how the confidentiality or integrity of PHI might be compromised, and how its availability to the organization might be imperiled.

The Security Rule requires organizations to adopt policies specifying the functions to be performed at a Workstation, and addressing the design or configuration of any area where a Workstation will be in use. It is important to remember that the risk analysis and the resulting policies should consider circumstances where the Workstation is in use out of the office, for instance when an individual is working on a portable device like a laptop at home or on the road. The Workstation policy must account for all likely use scenarios.

The Security Rule also identifies physical safeguards for Workstations, including device and media controls to restrict the use and movement of portable electronic media; and the May Newsletter highlights several key steps that each organization should address:

  • Completing an inventory of all electronic devices that contain or process PHI;
  • Reviewing the location of all such devices and assessing the risks of unauthorized viewing or theft at all the locations where they will be in use; and
  • Analyzing the current physical controls that are in place for each device and determining whether additional security measures are warranted.

The HIPAA Security Rule recognizes, in 45 C.F.R § 164.306, that as part of its risk analysis, each organization has the leeway to gauge its security risks and weigh the costs of implementing particular protections against the risks it has identified to assess whether particular measures make sense. OCR reiterates this in its May Newsletter: “What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process.”

However, OCR’s May newsletter also pointedly emphasizes that many safeguards for workstations “are available at little or no cost.” It specifically mentions privacy screens to prevent inappropriate peripheral viewing, and cable locks on devices to prevent theft, as two items that can be purchased for $20 to $40; and also notes that devices restricting access to computer ports and drives are also inexpensive. So with this message from the May newsletter, OCR clearly is nudging each organization affected by HIPAA to take another careful look at its Workstation policies and the measures that can be taken to protect the PHI that is stored and processed on this ubiquitous component in every IT system. 

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Mayo named Client Choice Award winner in North Carolina


RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update


Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning


RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list


RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.