NOTE: This section of the Security Standard has been updated in the final Security Rule as of April 21, 2003, and is no longer current - it is provided for reference only.
2. Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability
The requirements and implementation features for physical safeguards are presented at § 142.308(b) of this proposed rule. We would require each of these safeguards to be documented. We would require this documentation to be made available to those individuals responsible for implementing the safeguards and to be reviewed and updated periodically. The following matrix depicts the requirements and implementation features for the Physical Safeguards category. Following the matrix is a discussion of each of the requirements under that category.
PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY
| REQUIREMENT: | IMPLEMENTATION: |
| Assigned security responsibility | |
| Media controls (all listed implementation features must be implemented). | Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal. |
| Physical access controls (limited access) (all listed implementation features must be implemented). | Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records. Need-to-know procedures for personnel access. Sign-in for visitors and escort, if appropriate. Testing and revision. |
| Policy/guideline on work station use | |
| Secure work station location | |
| Security awareness training |
a. Assigned Security Responsibility
We would require the security responsibility to be assigned to a specific individual or organization, and the assignment be documented. These responsibilities would include the management and supervision of (1) the use of security measures to protect data, and (2) the conduct of personnel in relation to the protection of data. This assignment is important to provide an organizational focus and importance to security and to pinpoint responsibility.
b. Media Controls
Media controls would be required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility. They are important to ensure total control of media containing health information. These controls would include the following mandatory implementation features:
- Controlled access to media.
- Accountability (tracking mechanism).
- Data backup.
- Data storage.
- Disposal.
c. Physical Access Controls
Physical access controls (limited access) would be required. These would be formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. These controls would be extremely important to the security of health information by preventing unauthorized physical access to information and ensuring that authorized personnel have proper access. These controls would include the following mandatory implementation features:
- Disaster recovery.
- Emergency mode operation.
- Equipment control (into and out of site).
- A facility security plan.
- Procedures for verifying access authorizations prior to physical access.
- Maintenance records.
- Need-to-know procedures for personnel access.
- Sign-in for visitors and escort, if appropriate.
- Testing and revision.
d. Policy/Guideline on Workstation Use
Each organization would be required to have a policy/guideline on workstation use. These documented instructions/procedures would delineate the proper functions to be performed and the manner in which those functions are to be performed (for example, logging off before leaving a terminal unattended). This would be important so that employees will understand the manner in which workstations must be used to maximize the security of health information.
e. Secure Workstation Location
Each organization would be required to put in place physical safeguards to eliminate or minimize the possibility of unauthorized access to information. This would be important especially in public buildings, provider locations, and in areas where there is heavy pedestrian traffic.
f. Security Awareness Training
Security awareness training would be required for all employees, agents, and contractors. This would be important because employees would need to understand their security responsibilities based on their job responsibilities in the organization and make security a part of their daily activities.