[Please label written comments or e-mailed comments about this section with the subject: PHYSICAL SAFEGUARDS]
The requirements and implementation features for physical safeguards are presented at § 142.308(b) of this proposed rule. We would require each of these safeguards to be documented. We would require this documentation to be made available to those individuals responsible for implementing the safeguards and to be reviewed and updated periodically. The following matrix depicts the requirements and implementation features for the Physical Safeguards category. Following the matrix is a discussion of each of the requirements under that category.
PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY |
|
|
REQUIREMENT: |
IMPLEMENTATION: |
|
Assigned security responsibility |
|
|
Media controls (all listed implementation features must be implemented). |
Access control. |
|
Physical access controls (limited access) (all listed implementation features must be implemented). |
Disaster recovery. |
|
Policy/guideline on work station use |
|
|
Secure work station location |
|
|
Security awareness training |
|
We would require the security responsibility to be assigned to a specific individual or organization, and the assignment be documented. These responsibilities would include the management and supervision of (1) the use of security measures to protect data, and (2) the conduct of personnel in relation to the protection of data. This assignment is important to provide an organizational focus and importance to security and to pinpoint responsibility.
Media controls would be required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility. They are important to ensure total control of media containing health information. These controls would include the following mandatory implementation features:
Physical access controls (limited access) would be required. These would be formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. These controls would be extremely important to the security of health information by preventing unauthorized physical access to information and ensuring that authorized personnel have proper access. These controls would include the following mandatory implementation features:
Each organization would be required to have a policy/guideline on workstation use. These documented instructions/procedures would delineate the proper functions to be performed and the manner in which those functions are to be performed (for example, logging off before leaving a terminal unattended). This would be important so that employees will understand the manner in which workstations must be used to maximize the security of health information.
Each organization would be required to put in place physical safeguards to eliminate or minimize the possibility of unauthorized access to information. This would be important especially in public buildings, provider locations, and in areas where there is heavy pedestrian traffic.
Security awareness training would be required for all employees, agents, and contractors. This would be important because employees would need to understand their security responsibilities based on their job responsibilities in the organization and make security a part of their daily activities.