Policy on Physical Security of PHI and e-PHI
Purpose
- First Due is obligated under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) to establish
physical safeguards to protect electronic protected health information
(“e-PHI”) and other PHI. This policy
establishes our security measures to protect our electronic information
systems, networks and applications as well as buildings and equipment from
natural and environmental hazards, and unauthorized intrusion.
Scope
- This policy applies to all First
Due staff. All staff should be on the lookout for any potential problems that could jeopardize the
security of electronically stored information, especially e-PHI. This policy describes our general approach to
facility security and the steps necessary to prevent a breach in the physical
security system in place. It also
describes our general procedures to limit physical access to electronic
information systems and the buildings and rooms in which they are housed, and
our general procedures on disposal or reissuance of equipment containing e-PHI.
Policy
Facility
Access Controls
- Access to areas of our facility that
contain our information system with e-PHI will be granted only to those with a
verifiable and approved business need to have access.
- All First Due staff members will be issued
identification cards or badges for security purposes. These badges and identification must be
displayed at all times while on the premises.
- Access control will be established with physical
hardware that prevents improper or inadvertent entry into a secure area. This hardware may include combination locks,
swipe cards, smart cards and other devices on all doors housing our information
system equipment.
- Any space in a building that we share
with another entity that contains PHI that we create, receive, maintain or
transmit will be maintained at the same level of security as if we owned the
space. Specifically, we will protect
that area from access by others in the building who are not part of First Due.
- Disabling or circumventing any of the
physical security protections is strictly prohibited. Any problems with
physical security measures must be reported to the HIPAA Compliance Officer
immediately.
- The HIPAA Compliance Officer will be
responsible for developing a facility security plan that protects our buildings
from unauthorized physical access, tampering, and theft.
- The plan will incorporate hardware to limit
access to our buildings to only those persons with proper keys and/or access
codes.
- First Due will maintain a current list of all
staff members who have authorization to access our facilities with PHI. Where appropriate, First Due will install
security systems including video surveillance to protect PHI and to ensure the
security of our information systems.
Access
Control and Validation Procedures
- First Due has established procedures for
controlling and validating a staff member’s access to our facilities. Access to various areas of the facilities
will be based on the role of the staff person and their need to access a
particular area.
- Access to locations that house our systems,
networks or applications with PHI that we create, receive, maintain or transmit
will have the greatest limitations on access, and access to these critical
areas will be reviewed frequently by management and the HIPAA Compliance
Officer
Maintenance
Records
- To help ensure that our physical
security systems are in continuous operation, First Due has developed a
maintenance program for all security devices, including locks, keypads, and
other access devices.
- Any repairs or change outs of any security
devices will be recorded.
Workstation
Security and Use
- A “workstation” is defined as any electronic
computing device, such as a desktop computer, laptop computer, mobile
electronic device or any other device that is used to create, receive, maintain
or transmit PHI.
- All workstations (including fixed locations
such as in our billing or business office and mobile workstations such as with
portable electronic devices for field use) should be password protected so that
they may not be accessed without authentication by an authorized user.
- All workstations are set up to lock out after
a set time period so that if the staff member is no longer using the
workstation for a set period of time, access will not be permitted without the
proper password.
- Procedures are established for each work
area, depending on the nature of the work area to limit viewing of workstation
device screens to only those operating the workstation wherever possible.
- In
office areas, all screens should be pointed away from hallways and open
areas. The screens should be pointed
away from chairs or other locations where non staff members, such as patients,
may be.
- In field operations, ambulance personnel will
need to follow procedures to ensure that the devices are not left in an open
area, such as a countertop in the Emergency Department.
- Workstations will be set so that staff
members may not inadvertently change or disable security settings, or access
areas of the information system they are not authorized to access.
- Only those authorized to access and use
the workstation will be permitted to use the workstation.
- No software may be downloaded or installed on
the workstation in any manner without prior authorization. (This prohibition includes computer games,
screen savers, and anti-virus or anti-spam programs).
- All
staff members will log out or lock workstations whenever they are left unattended
or will not be in use for an extended period of time.
- All portable workstation devices will be
physically secured wherever possible when not in use. Laptops will be locked with security cables
and other mobile devices will be locked physical locations or in an appropriate
storage compartment when not in use.
- Remote access to access e-PHI on our information system must be approved by
First Due.
- First Due carefully monitors and
regulates the receipt and removal of hardware and electronic media that contain
PHI and other patient and business information into and out of our stations and
other facilities.
- As a general rule, simple deletion of
files or folders is not sufficient to ensure removal of the file or data. This simply removes the directional
“pointers” that allow a user to find the file or folder more readily. Deleted files are usually completely
retrievable with special software and computer system expertise.
- First Due has in place the following
procedures governing the disposal of hardware, electronic media, and e-PHI
stored on hardware and other electronic media:
- Sanitizing Hard Disk Drives. All hard disk drives that have been approved
by the HIPAA Compliance Officer for removal and disposal (or taken out of
active use) shall be sanitized so that all programs and data have been removed
from the drive. First Due will follow
industry best practices (such as the U.S. Department of Defense clearing and
sanitizing standard – DoD 5220.22-M) when cleaning off hard drives.
- Proper sanitizing usually involves a
reformatting of the hard drive in a secure manner with an approved wipeout
utility program. Degaussing software may
need to be used to ensure total removal of files.
- No hard drive will be reissued, sold or
otherwise discarded until the drive has been sanitized.
- Media Re-Use. All e-PHI and other patient and business
information shall be removed from any media devices before they are made
available for reuse.
- Accountability. First Due tracks the movement of all computer
hardware, workstations, and data storage devices. Movement both within the organization and
outside the organization is tracked.
- Data Backup and Storage. Each information system area will create an
exact copy of all e-PHI when necessary immediately prior to any movement or
disposal. This procedure is in addition to the standard routine backup protocol
to ensure that all e-PHI is preserved before potential compromise.
- Destruction of Paper and Electronic PHI. When destroying and/or permanently removing
PHI from electronic media for any purpose, First Due shall adhere to HHS’s
“Guidance Specifying the Technologies and Methodologies That Render Protected Health
Information Unusable, Unreadable, or Indecipherable to Unauthorized
Individuals.” In accordance with that
Guidance, paper, film, or other hard copy media shall
be shredded or destroyed such that the PHI cannot be read or otherwise
reconstructed. Electronic PHI is considered to be destroyed or permanently
removed from electronic media when the media that contain the PHI have been
cleared, purged, or destroyed consistent with “NIST Special Publication 800–88,
Guidelines for Media Sanitization,”
such that the electronic PHI cannot be retrieved. (NIST Special Publication
available at: www.nist.gov).
Related Articles
Alabama ePCR Quick Start Guide
Purpose To provide an Alabama quick start guide for ePCR success. Overview Please download the Alabama Quick Start Guide for ePCR Success attached to the bottom of this KBA. This objective of this guide is to illustrate the Alabama-NEMSIS required ...
Pre-Planning SOPs/SOGs: Charlotte, NC "Field Guide"
Purpose To provide sample SOPs and SOGs for Pre-Planning from a First Due client. Agency SOPs and SOGs Charlotte, NC Field Guide for Pre-Planning attached below image.
Completing an Incident Report - Size Up
Purpose This article will guide you through the Size-up section of an Incident Report. Related Articles Completing an Incident Report - Response Completing an Incident Report - People Involved Completing an Incident Report - Operations Completing an ...
Pre-Planning SOPs/SOGs: Reno, NV
Purpose To provide sample SOPs and SOGs for Pre-Planning from a First Due client. Agency SOPs and SOGs Reno, NV SOP for Pre-Planning attached below image.
Frequently Asked Questions - Assets
Equipment & Inventory What is the difference between Equipment and Inventory? Some factors to consider when deciding on what you should designate as Equipment vs. Inventory for your agency are: Equipment: High-cost items >$500 Items with regular ...