HIPAA Security Regulations: Security Standards for the Protection of Electronic PHI: Physical Safeguards - § 164.310
As Contained in the HHS HIPAA Security Rules
HHS Security Regulations as Amended January 2013 |
A covered entity or business associate must, in accordance with §164.306:
(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
(2) Implementation specifications:
(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
(iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
(iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
(d)(1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
(2) Implementation specifications:
(i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
(ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
(iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
(iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
HHS Description Security Standards for the Protection of Electronic PHI: Physical Safeguards |
We proposed requirements and implementation features for documented physical safeguards to guard data integrity, confidentiality, and availability. We proposed to require safeguards in the following areas: assigned security responsibility; media controls; physical access controls; policies and guidelines on workstation use; a secure workstation location; and security awareness training. A number of specific implementation features were proposed under the media controls and physical access controls requirements.
In § 164.310 of this final rule, most of the proposed implementation features are adopted as addressable implementation specifications. The proposed requirements for the assigned security responsibility and security awareness training requirements are relocated in § 164.308.
Facility Access Controls (§ 164.310(a)(1))
We proposed, under the "Physical access controls" requirement, formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. These controls would include the following implementation features: disaster recovery, emergency mode operation, equipment control (into and out of site), a facility security plan, procedures for verifying access authorizations before physical access, maintenance records, need-to-know procedures for personnel access, sign-in for visitors and escort, if appropriate, and testing and revision.
In § 164.310(a)(2), we combine and restate these as addressable implementation specifications. These are contingency operations, facility security plan, access control and validation procedures, and maintenance records.
Workstation Use (§ 164.310(b))
We proposed policy and guidelines on workstation use that included documented instructions/procedures delineating the proper functions to be performed and the manner in which those functions are to be performed (for example, logging off before leaving a workstation unattended) to maximize the security of health information. In this final rule, we adopt this standard.
Workstation Security (§ 164.310(c))
We proposed that each organization would be required to put in place physical safeguards to restrict access to information. In this final rule, we retain the general requirement for a secure workstation.
Device and Media Controls (§ 164.310(d)(1))
We proposed that covered entities have media controls in the form of formal, documented policies and procedures that govern the receipt and removal of hardware and/or software (for example, diskettes and tapes) into and out of a facility. Implementation features would have included "Access control," "Accountability" (tracking mechanism), "Data backup," "Data storage," and "Disposal."
In this final rule, we adopt most of these provisions as addressable implementation specifications and add a specification for media re-use. We change the name from
"Media controls" to "Device and media controls" to more clearly reflect that this standard concerns hardware as well as electronic media. The proposed "Access control" implementation feature has been removed, as it is addressed as part of other standards (see section III.C.12.c of this preamble).
HHS Response to Comments Received Security Standards for the Protection of Electronic PHI: Physical Safeguards |
General Comments
Comment: Several commenters made suggestions to modify the language to more clearly describe "Physical safeguards."
Response: In response to comments, we have revised the definition of "Physical safeguards" to read as follows: "Physical safeguards are security measures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion."
Comment: One commenter was concerned that electronic security systems could not be used in lieu of physical security systems.
Response: This final rule does not preclude the use of electronic security systems in lieu of, or in combination with, physical security systems to meet a "Physical safeguard" standard.
Facility Access Controls (§ 164.310(a)(1))
Comment: Many commenters were concerned because the proposed language would require implementation of all physical access control features. Other commenters were concerned that the language did not allow entities to use the results of their risk assessment and risk management process to arrive at the appropriate solutions for them.
Response: We agree that implementation of all implementation specifications may not be appropriate in all situations. While the facility access controls standard must be met, we agree that the implementation specifications should not be required in all circumstances, but should be addressable. In this final rule, all four implementation specifications are addressable. We have also determined, based on "level of detail" comments requesting consolidation of the list of implementation features, that the proposed implementation feature "Equipment control (into and out of site)" was redundant. "Equipment control" is already covered under the "Device and media controls" standard at § 164.310(d)(1). Accordingly, we have eliminated it as a separate implementation specification.
Comment: One commenter raised the issue of a potential conflict of authority between those having access to the data and those responsible for checking and maintaining access controls.
Response: Any potential conflicts should be identified, addressed, and resolved in the policies and procedures developed according to the standards under § 164.308.
Comment: Several commenters questioned whether "Physical Access Controls" was a descriptive phrase to describe a technology to be used, or whether the phrase referred to a facility.
Response: We agree that the term "Physical" may be misleading; to remove any confusion, the requirement is reflected in this final rule as a standard titled "Facility access controls." We believe this is a more precise term to describe that the standard, and its associated implementation specifications, is applicable to an entity's business location or locations.
Comment: Several commenters requested that the disaster recovery and emergency mode operations features be moved to "Administrative safeguards." Other commenters recommended that disaster recovery and emergency mode operations should be replaced by, and included in, a "Contingency Operations" implementation feature.
Response: The "Administrative safeguards" section addresses the contingency planning that must be done to contend with emergency situations. The placement of the disaster recovery and emergency mode operations implementation specifications in the "Physical safeguards" section is also appropriate, however, because "Physical safeguards" defines the physical operations (processes) that provide access to the facility to implement the associated plans, developed under § 164.308. We agree, however, that the term "contingency operations" better describes, and would include, disaster recovery and emergency mode operations, and have modified the regulation text accordingly (see § 164.310(a)(1)).
Comment: Commenters were concerned about having to address in their facility security plan the exterior/interior security of a building when they are one of many occupants rather than the sole occupant. Additional commenters were concerned that the responsibility for physical security of the building could not be delegated to a third party when the covered entity shares the building with other offices.
Response: The facility security plan is an addressable implementation specification. However, the covered entity retains responsibility for considering facility security even where it shares space within a building with other organizations. Facility security measures taken by a third party must be considered and documented in the covered entity's facility security plan, when appropriate.
Workstation Use (§ 164.310(b))
Comment: One commenter was concerned most people may be misled by the use of "terminal" as an example in the definition of workstation. The concern was that the standard only addresses "fixed location devices," while in many instances the workstation has become a laptop computer.
Response: For clarity, we have added the definition of "workstation" to § 164.304 and deleted the word "terminal" from the description of workstation use in § 164.310(b).
Workstation Security (§ 164.310(c))
Comment: Comments were directed toward the example profiled in the definition of a secure workstation location. It was believed that what constitutes a secure workstation location must be dependent upon the entity's risk management process.
Response: We agree that what constitutes an appropriate solution to a covered entity's workstation security issues is dependent on the entity’s risk analysis and risk management process. Because many commenters incorrectly interpreted the examples as the required and only solution for securing the workstation location, we have modified the regulations text description to generalize the requirement (see § 164.310(c)). Also, for clarity, the title "Secure workstation location" has been changed to "Workstation security" (see also the definition of "Workstation" at § 164.304).
Device and Media Controls (§ 164.310(d)(1))
Comment: One commenter was concerned about the exclusion of removable media devices from examples of physical types of hardware and/or software.
Response: The media examples used were not intended to represent all possible physical types of hardware and/or software. Removable media devices, although not specifically listed, are not intended to be excluded.
Comment: Comments were made that the issue of equipment re-use or recycling of media containing mass storage was not addressed in "Media controls."
Response: We agree that equipment re-use or recycling should be addressed, since this equipment may contain electronic protected health information. The "Device and media controls" standard is accordingly expanded to include a required implementation specification that addresses the re-use of media (see § 164.310(d)(2)(ii)).
Comment: Several commenters asked for a definition of the term "facility," as used in the proposed "Media controls" requirement description. Commenters were unclear whether we were talking about a corporate entity or the physical plant.
Response: The term "facility" refers to the physical premises and the interior and exterior of a building(s). We have added this definition to § 164.304.
Comment: Several commenters believe the "Media controls" implementation features are too onerous and should be deleted.
Response: While the "Device and media controls" standard must be met, we believe, based upon further review, that implementation of all specifications would not be necessary in every situation, and might even be counter-productive in some situations. For example, small providers would be unlikely to be involved in large-scale moves of equipment that would require systematic tracking, unlike, for example, large health care providers or health plans. We have, therefore, reclassified the "Accountability and data backup" implementation specification as addressable to provide more flexibility in meeting the standard.
Comment: One commenter was concerned about the accountability impact of audit trails on system resources and the pace of system services.
Response: The proposed audit trail implementation feature appears as the addressable "Accountability" implementation specification. The name change better reflects the purpose and intended scope of the implementation specification. This implementation specification does not address audit trails within systems and/or software. Rather it requires a record of the actions of a person relative to the receipt and removal of hardware and/or software into and out of a facility that are traceable to that person. The impact of maintaining accountability on system resources and services will depend upon the complexity of the mechanism to establish accountability. For example, the appropriate mechanism for a given entity may be manual, such as receipt and removal restricted to specific persons, with logs kept. Maintaining accountability in such a fashion should have a minimal, if any, effect on system resources and services.
Comment: A commenter was concerned about the resource expenditure (system and fiscal) for total e-mail backup and wanted a clarification of the extensiveness of data backup.
Response: The data an entity needs to backup, and which operations should be used to carry out the backup, should be determined by the entity's risk analysis and risk management process. The data backup plan, which is part of the required contingency plan (see § 164.308(a)(7)(ii)(A)), should define exactly what information is needed to be retrievable to allow the entity to continue business "as usual" in the face of damage or destruction of data, hardware, or software. The extent to which e-mail backup would be needed would be determined through that analysis.