Physical safeguards for email servers

Email servers manage and store email communications, allowing users to send, receive, and organize emails. Given the role of these servers in communication and data management, their protection is necessary to prevent unauthorized access and avoidable data breaches. 

What are physical safeguards?

Physical safeguards are part of HIPAA’s Security Rule, specifically appearing in Section 164.310. HHS Security Rule guidance provides that physical safeguards are defined as, “Physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

The safeguards are part of three central measures used to create a well-rounded outline for HIPAA compliance in covered entities and business associates. The Physical safeguards guide the way that electronic protected health information (ePHI) is guarded from unauthorized access, tampering, or destruction in physical locations like data centers. 

Why physical safeguards are necessary for email servers 

Physical safeguards shield HIPAA compliant email servers from direct physical threats, assisting in protecting actual hardware, servers, routers, storage devices, and other equipment required for functioning. The use of measures like securing server rooms with restricted access, installing surveillance cameras, and using biometric or card-based systems assist in preventing theft or destruction of ePHI. 

The physical safeguards that protect email servers 

• Controlled facility access: Limiting physical access to the email server room or data center to prevent unauthorized access. 
• Security cameras: Monitoring server rooms and sensitive areas with surveillance systems. 
• Access control systems: Using biometric scanners, key cards, or keypad entry at the entrances of server rooms. 
• Server room locks: Installing high-security locks on server room doors to prevent unauthorized access. 
• Environmental controls: Implement measures like fire suppression systems, temperature controls, and humidity detection to protect servers from environmental hazards.
• Uninterruptible power supply: Ensure that backup power systems are in place to protect servers from power outages and surges. 
• Workstation security: Securing individual workstations that may have access to email servers by preventing unauthorized use. 
• Cable management: Protect and secure network cables to prevent accidental or intentional tampering. 
• Equipment maintenance: Maintain logs of who can access the server and when. 
• Physical server backup storage: Store backup servers or data offsite in secure locations to prevent data loss from disasters. 

FAQs

What are the types of safeguards? 

Physical, Technical, and Administrative. 

When is a business associate agreement necessary with email providers?

When an email provider handles, stores, or transmits ePHI. 

Do both covered entities and business associates need to implement physical safeguards? 

Yes, both covered entities and business associates must implement physical safeguards to protect patient information.