Hospital Physical Security and The Workstation Question
While many of the physical safeguard standards focus on building access, two standards in particular cover workstation use (164.310(b) and (c)). In the modern healthcare work environment, this includes not only desktop computers, but also laptops, tablets, drives, mHealth devices, “any other device that performs similar functions, and electronic media stored in its immediate environment.”
The Workstation Use Standard addresses not only proper use of each device but also the physical environment in which a device operates. According to HIPAA, covered entities must:
“implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”
This point means that a covered entity is required to assess their physical surroundings and the associated risks to determine any potential negative impact. The Workstation Use Standard also applies to offsite workforce members and can additionally include requirements to log off before leaving a workstation and continually update antivirus software.
The second standard, the Workstation Security Standard, gets directly at the physical access to workstations, stating that covered entities must “implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”
Restriction of physical access to a workstation or device is specifically called out as a suggested way to comply with this requirement. It puts special emphasis on asking whether all types of workstations are secured (consider all the types of devices used at your facility that access and house EPHI) as well as whether or not current physical safeguards are effective and whether additional safeguards are needed.
If this topic is of concern at your facility, it might be time to review the Security Standards Matrix (pg 15) paying special attention to the Physical Safeguards section when implementing or reviewing your Facility Security Plan.
If you have questions about how your new security plan or existing hospital access control system can be enhanced with RFID-enabled cabinet locking systems, visit our Healthcare Access Control page or contact us!