Most every healthcare organization must have physical safeguards in place to guard data integrity, confidentiality, and availability of Electronic Protected Health Information (EPHI). They must limit physical access to their electronic information systems while ensuring employees can still perform their jobs properly.
In general, physical safeguards are the mechanisms needed to protect electronic systems, equipment and data from threats, environmental hazards, and unauthorized intrusion.This includes restricting access to EPHI and retaining off-site computer backups. Areas of concern include access controls, workstation use and security, and device and media controls. Each PDA, laptop, and desktop system should be reviewed.
Security measures are also needed to protect EPHI when transmitting data over electronic communications networks. Healthcare organizations should review current methods used to transmit EPHI, such as e-mail, over the Internet, or other means, and then identify ways to protect it as it is transmitted. Wireless devices can pose a significant threat. Employees should not be using e-mail to send EPHI outside the organization unless it is encrypted. The Security Rule doesn't prohibit e-mail, but expects healthcare organizations to guard against unauthorized access. If a system breach occurs with unencrypted e-mail, the affected patients must be notified.