There are four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009.
Physical safeguard standards pertain to a covered entities physical location (facility), who has access to the facility and when, how hardware and software systems are protected and used in the facility, how electronic protected health information is safeguarded on hardware in the facility, how records of electronic protected health information are properly disposed of, and how media containing such records are used and reused after disposal of records of electronic protected health information.
We cover the four physical safeguard standards and their 10 implementation specifications in 12 postings.