By Peter Arant   /   Nov 27th, 2018

HIPAA Security Rule: 5 Common Shortcomings (Physical Safeguards)

Go beyond HIPAA’s language to achieve better security and compliance. Here’s how:


When we help clients with HIPAA assessments—whether it’s a security risk analysis or a gap analysis of security controls—we tend to see many of the same shortcomings again and again. The shortcomings I’m referring to can exist even if you follow all requirements as stated in the HIPAA Security Rule

In this post, we’ll take a look at some of the Physical Safeguards found under the HIPAA Security Rule and how merely sticking to the Rule’s language is simply not good enough. In other words, if you simply do what a particular safeguard says you are supposed to do—and nothing more—you’re setting yourself up for failure from both a security and compliance standpoint.

One important aspect to keep in mind is that the Physical Safeguards include controls that most of us would not consider “physical” in nature. For example, there are safeguards regarding the use and security of workstations that are not limited to physical security.


1. Overlooking “Workstations” in a Modern Context

The HIPAA Security Rule needs to be updated to account for today’s technology. When we hear a term like “workstation,” most of us probably think of desktop and laptop computers. The definition of “workstation,” though is:

“an electronic computing device, for example, a lap or desk computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.” 45 CFR § 164.304.

What about smartphones and tablets that can access or store ePHI? Or what about a workforce member’s personally owned home computer that can access the organization’s EHR web app remotely? Shouldn’t all of these devices be considered “workstations”? Yes, according to the definition above.

Many organizations, though, only have formalized safeguards for their fleet of on-site desktops and laptops to help satisfy the Workstation Use and Workstation Security requirements in 45 CFR §§ 164.310(b) and (c). They pay less attention to other “workstations” like smartphones, tablets, and computers utilized by employees at home.

If your organization is subject to HIPAA, be sure all devices meeting this definition are on your radar.


2. No Audits of Key Badge Access Systems 

Many healthcare organizations use key badge access systems for building entrances and certain doors within their facilities. These systems provide the ability to quickly grant and revoke physical access, and they eliminate many of the headaches associated with physical keys.

However, organizations often neglect to perform routine audits of these badge access systems. For example, they do not perform routine audits to ensure there are no active badges assigned to workforce members whose employment has been terminated. Organizations also fail to check access logs for suspicious activity such as individuals accessing the building late at night.

If your organization has a key badge access system, be sure to perform routine audits of account lists, the permissions assigned to them (i.e., what doors they are able to access), and the access logs.


3. No Multi-Factor Authentication for Server Rooms or Other Sensitive Areas

Healthcare organizations go to great lengths to protect server rooms and other sensitive areas within their facilities. Many times, though, entering one of these rooms only requires a single key or badge. That doesn’t provide much in the way of protection for valuable IT assets like servers and other equipment.

If this is true for your organization, explore the possibility of adding an additional authentication mechanism such as a keypad with a unique code assigned to each individual. Adding at least one more hurdle can go a long way in terms of protecting important physical assets.


4. No Disposal and Re-use Protocols for Certain Devices and Media

As discussed in the previous post, organizations often overlook places where ePHI exists. A common culprit is the all-in-one device that handles photocopying, printing, faxing, and scanning.

Many of these devices have hard drives that retain data, and therefore they must be disposed of and re-used in accordance with §§ 164.310(d)(2)(i) and (ii).

Yet another reminder not to overlook any devices and media containing ePHI.


5. No Coordination with Building Owners and Property Managers

Many healthcare organizations operate in spaces they do not own. They might lease a space in a hospital, shopping center, or office complex. In these situations, the building’s owner or management company will often be responsible for various physical and environmental controls: fire suppression systems, video surveillance, security alarm systems, on-site security personnel, and so on.

Healthcare organizations located in leased spaces sometimes do not have a clear understanding of what building owners or property management companies actually do to oversee and manage these important physical safeguards on a regular basis.

Is live alerting set up to warn of smoke or increases in temperature? Do the surveillance cameras throughout the facility even work, and if so, how long is footage retained? These are the types of questions healthcare organizations sometimes fail to ask building owners and property management companies.

If your organization is located in a leased space, come up with a list of what your building’s owner or management company is responsible for in terms of physical safeguards. After that, find out what they do to manage and oversee these physical safeguards on a regular basis. 



The list above includes common shortcomings we encounter when performing HIPAA assessments for clients. These shortcomings can exist even if the organization is abiding by the language found in the HIPAA Security Rule.

If your organization is subject to HIPAA, be aware of these shortcomings and consider the recommendations included above.

While this post concerns Physical Safeguards, be sure to check out the previous post on shortcomings related to Administrative Safeguards. A post on Technical Safeguards will be published soon. 

Have questions about HIPAA? Get in touch with LMG today.  At LMG Security, We Make Nothing Happen.



About the Author

Peter Arant

Peter is a Senior Security Consultant with LMG Security and holds his J.D. from the University of Montana School of law. He specializes in conducting risk assessments, policy and procedure development, cyber insurance policy review, HIPAA compliance, GDPR compliance, and other compliance services. Prior to joining LMG, Peter managed his own law practice, helping clients with regulatory compliance, technology, privacy and security.  He received the Montana State Bar Association’s Frank I. Haskell Award in 2015 for his publication, “Understanding Data Breach Liability: The Basics Every Attorney Should Know.”