Security rule addresses data physical safeguards
A recent article published by the Centers for Medicare & Medicaid Services (CMS) focuses on the physical safeguards required to protect electronic health information under the Health Insurance Portability and Accountability Act’s (HIPAA) security rule, which became effective in April 2005.
The security rule defines physical safeguards as "physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion."
Facility access control standard
The first standard addressed in the rule is "facility access control," which requires covered entities to "implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."
In regard to that standard, the article suggested providers consider these questions:
- Are policies and procedures developed and implemented that address allowing authorized and limiting unauthorized physical access to electronic information systems and the facility or facilities in which they are housed?
- Do the policies and procedures identify individuals (work force members, business associates, contractors, etc.) with authorized access by title and/or job function?
- Do the policies and procedures specify the methods used to control physical access, such as door locks, electronic access control systems, security officers, or video monitoring?
Under the facility access controls standard, there are four implementation specifications. The first of which is contingency operations, defined as "procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency."
The following are questions providers should consider in connection with this provision:
- Are procedures developed to allow facility access while restoring lost data in the event of an emergency, such as a loss of power?
- Can the procedures be appropriately implemented, as needed, by those work force members responsible for the data restoration process?
- Do the procedures identify personnel who are allowed to re-enter the facility to perform the data restoration?
- Is the content of this procedure also addressed in the entity’s contingency plan? If so, should the content be combined?
(The entire article is available on the CMS web site at www.cms.hhs.gov.)
A recent article published by the Centers for Medicare & Medicaid Services (CMS) focuses on the physical safeguards required to protect electronic health information under the Health Insurance Portability and Accountability Acts security rule, which became effective in April 2005.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content