Physical Safeguards: Facilities

HIPAA § 164.310 (a) requires you to establish physical safeguards for your "facility." The implementation must provide for (i) contingency operations, (ii) a security plan that explains how you protect against unauthorized access, tampering, and theft, (iii) access controls, and (iv) maintenance records.

At this early stage, your "facility" is going to be åcentered on a secure zone: something with a lock on it. This is where you are going to store sensitive non-electronic items. This is also going to be your physical backup should your your electronic systems become unavailable. (And vice versa, you are going to maintain an electronic duplicate of everything in your secore zone.)

Define your Facility

At § 164.304, HIPAA provides a list of definitions. Your facility constitutes "the physical premises and the interior and exterior of a building(s)."

What we want to do here is reduce the scope by designating a secure zone. Then we will consider the premises as well as the interior and exterior of the building. If you have an office that only you can lock, that's great and you may consider it to be your secure zone. However, I'm going to suggest that you want a zone that is really, truly, under your control and that of a trusted delegate.

Without a hard physical security perimeter, I suggest that you buy a fire resistant box safe with a combination lock and two physical keys (example). Another possibility would be a locking briefcase. This is where you are going to keep those sensitive non-electronic items. Keep your receipt, and put it into the receipts envelope you created in the prior chapter. You might be able to get by without a physical safe or locking briefcase, but in my experience, over time you will find yourself with physical things that need to be kept safe. We'll consider this your secure zone.

A Preview of Assessing and Managing Risk

Let's say that your secure zone is in your house or apartment. Do you monitor the interior and exterior of the building? Probably not. But I bet you live in a neighborhood that is not overrun with crime relative to other parts of your area; so the likelihood of a break-in is low. At this stage, you don't have any PHI to protect, and certainly no electronic PHI; so even if it was stolen, the impact is low. What is risk? One mechanical defintion of risk is to say that it is likelihood times impact. The likelihood of your home being broken into is probably low, and at this stage, with no client data, the impact is probably low as well (besides, shortly I am going to guide you on keeping cloud backups of everything in your secure zone). So in this case, with low likelihood and low impact, the risk to your facility is low. There are four things you can do to respond to risk: You can

• Avoid - change what you do so the problem goes away
• Mitigate - reduce the likelihood or impact
• Accept - budget for the loss
• Transfer - outsource by buying insurance

In this case, we are going to accept the risk that your facility is not completely locked down.

A Preview of Policies and Procedures

Now that you have a secure zone, I'm going to ask you to do four things:

1. You must maintain a clean desk: When you walk away, put everything in the secure zone.
2. You must protect displays of PHI and sensitive data: Position your computer so that no one can walk up behind you and observe what you're doing.
3. You must physically secure your computer: always lock your computer when you walk away from it. As well, blank the screen after not being used for some time. You must set up a screen saver that locks your computer after twenty minutes.
4. You must track maintenance: Create a sheet in Drive called "[Your Company] Facility Maintenance Records" with the columns date, what, by whom, approved.

By doing these things, we have established a secure zone for any physical PHI and backup documents for electronic resources.

Very roughly, the first part of each item before the colon is a general state of policy; then the rest of the item enumerates procedural steps that satisfy the policy. Policies last a long time without change, and should be general; procedures change as your company changes.

Now let's ensure you have some backup

• As we put things in the facility, take a photo of each item.
• Remember the envelope you created with the name of your trusted security backup?
  • Put the trusted security backup envelope into the facility.
• Put your second facility key into an envelope with your name, and your company's name on it, and give that envelope to your trusted security backup. Ask them to keep it secure, but don't tell them how to do it. This is a trust relationship: You are delegating emergency access to your company to this person.
• Tell your trusted security backup that there is an envelope with his or her name on it in the facility with instructions describing where to find important items.
• Also put into the facility the receipts envelope you made in the prior chapter.

Email the photos you've been taking of items you've put into your facility. Verify that they reached the mailbox, and then delete them off your phone.

Create a folder in Drive for your photos of safe contents

With your Google Workspace account, go to Drive and create a folder called Facility Contents or something similar. You can now go to your email and hover over each image; you'll see an icon that will let you transfer this into Drive.

Now let's go to your inventory list in Drive. Put your facilty on the list. Leave all of the columns blank and set these columns:

• Date added to inventory: Today
• Type: other
• Description: Facility (or fire resistant box/safe or locking briefcase)
• Unique identifier or serial number: serial number if there is one
• Location: Street address and the area that contains the facility
• Value: Whatever you paid
• Current user: Owner
• Last date verified: Today

Is our implementation solid?

Recall that there are some items you must implement for your physical safeguards. Here's that list again, along with what you are doing for each one:

1. Contingency operations. All data in your facility has a duplicate in the cloud.
2. Facility security plan. Only you and your trusted security backup have keys to your facility.
3. Access control. At present, only you and your trusted security backup have access to your facility. A "todo" is to implement a process to provide others with the appropriate access to parts of your facility.
4. Maintenance records.

The future

When your company gets bigger, you may want to think about managing access to and monitoring of facilities with software that controls electronic keycards and cameras. But that's for later.

Checklist

   Define a facility
   Keep your desk clean
   Computer positioned to prevent prying eyes
   Set screensaver that locks computer after 20 minutes
   When you add something to your facility, take a photo
   Create a sheet entitled "[Your Company] Facility Maintenance Records"
   Put password vault master password into facility
   Share instructions and duplicate facility key to trusted security backup
   Put your Certificate and Articles of Organization in your facility
   Photograph or scan these documents and moved them into Drive

Money spent so far

Item	Amount
Starting balance	$260
Safe	$154
Total for this part	$154
Total so far	$414

Are we HIPAA-compliant yet?

No. But we've laid more groundwork for physical security, an asset inventory, and some technical controls.

Resources

• Physical Security
  • A good safe