A few weeks ago, we spoke about Workstation Usage and how it relates to the Physical Safeguards section of HIPAA’s Security Rule. This week, we will cover Workstation Security, (Standard §164.310(b)), taking on the more literal aspects of physical safeguards. An important note for both of these sections of the ruling, no actual implementation specifics are mentioned. While you might take this as a free pass, these specific-less measures are just as important as those with rigorous requirements. The openness to interpretation mainly stems from the variance of environments that workstations can be found in.
When I talk about Workstation Security, I can’t help but compare the subject to large retail stores. As you look around these locations, you’ll notice safeguards in place to prevent theft – merchandise kept under lock and key, wired wrappings that require magnetic tools to unlock, or even the simple security tags commonly found on clothing. In essence, this is what Workstation Security refers to as well – what measures are in place to prevent theft of the hardware that contains critical PHI?
Think about your practice. Where are your computers located? Are they stationary – large, weighty desktops sitting at the front desk where patients are checked in? Are they mobile – slim, space-conserving laptops that enable providers to document patient visits from any room in the clinic? Do any of these machines leave the clinic, or are they all permanent fixtures in your office?
While Workstation Use can ensure that a stolen or lost PC is secure from intrusion through encryption, security policies, and passwords, Workstation Security works to prevent the situations where these intrusions are possible. Are your practice’s office areas behind locked doors, or could anyone walk into the offices? Are laptops stored in a secure location while not in use (locked in a cabinet)? Cable locks might also be a solid option to prevent laptop theft. While desktops are a bit less likely to be stolen, ensuring their security is no less important!
As we end our segment on Physical Safeguards next time with Section D, Device and Media Controls, we will take a broader look at Physical Safeguards in its entirety and how it plays into the Security Rule and your practice’s security.