June 26, 2018
Do you consider your phone a “workstation”? When it comes to the privacy of protected health information, the government does.
In a recent cybersecurity newsletter, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) provided a reminder about physical security. Most of the time, when health information privacy is discussed, people have images of clandestine hackers getting access to millions of electronic files. However, as the OCR newsletter points out, protections under the Health Insurance Portability and Accountability Act (“HIPAA”) can include some fairly basic phyisical security practices.
Under HIPAA, health plans and their business associates have to consider physical security for all their “workstations.” Physical security includes taking measures to prevent items from being stolen or prevent people from seeing information displayed on the screen. In the view of OCR, “workstations” include any computing device, like the one you probably carry in your purse or pocket. It would also include more obvious items, like desktops, laptops, and tablets.
Some of the security controls suggested in the bulletin include:
- Positioning devices. This is probably among the most basic of physical security controls. This includes changing the angles of computer screens so they are not visible by others. It also includes putting computers and other devices that handle protected health information (“PHI”) behind locked doors, especially when not in use.
- Privacy screens. These prevent someone who is sitting next to you from seeing what you’re working on. If you’re sitting on an airplane (particularly in the dreaded middle seat), these can help prevent “shoulder surfing” where a nosy neighbor looks over to see what’s on your screen. These types of screens are typically available for all sizes of devices, from the smallest smartphone to the largest computer.
- Locking up devices when not in use. This seems obvious, but it can sometimes be overlooked. Simple protections such as outfitting laptop docking stations with locks and storing laptops in the trunk of a car when traveling would be included in this.
- Port and device locks. This means locking down computers so that they won’t accept data from, or send data through, their USB ports. It prevents a user from copying data from a computer onto a USB thumb drive or similar device. It also would not allow a thumb drive to load malicious software onto a computer.
- Cameras and Security Guards. For some organizations, it may be appropriate to include these types of protections at physical locations as well.
The key to the HIPAA security rule is to remember that it is scalable. This means the protections must be reasonable in light of the amount, frequency, and complexity of the handling of protected health information. An employer that only handles limited PHI related to its health plan would probably not have to hire guards and install cameras just to protect the small amount of PHI it handles. However, certain basic protections (like putting a lock on a door or angling computer screens, as just two examples) virtually any organization can implement.
Additionally, employers who handle protected health information should remember that physical security of workstations is just one aspect of the HIPAA rules. Other technical and administrative safeguards should also be considered as part of any HIPAA compliance program.
If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
The information herein is intended to be educational only and is based on information that is generally available. HUB International makes no representation or warranty as to its accuracy and is not obligated to update the information should it change in the future. The information is not intended to be legal or tax advice. Consult your attorney and/or professional advisor as to your organization’s specific circumstances and legal, tax or other requirements.