According to the Journal of Medical Systems study ‘Security Techniques for the Electronic Health Records’, “Breaches in physical safeguards are the second most common cause of security breaches [7, 30]. Physical safeguards encompass techniques such as assigned security responsibilities, workstation security, and physical access controls.”
Physical safeguards under HIPAA are designed to secure the actual places and devices where electronic protected health information (ePHI) lives, which includes email servers, workstations, and related infrastructure. Establishing rules and controls around physical access, environment, and device security, these safeguards help prevent unauthorized individuals from physically accessing or damaging the systems that manage sensitive communications.
Beyond doors and locks, HIPAA also provides for environmental controls. Email servers must be housed in environments protected against fire, flooding, extreme temperatures, and power outages. Physical safeguards, such as fire suppression systems, climate control, flood sensors, and backup power sources, ensure that email services remain up and running securely without interruption, thereby maintaining both the integrity and availability of email communications.
Physical safeguards are part of HIPAA’s Security Rule, specifically appearing in Section 164.310. HHS Security Rule guidance provides that physical safeguards are defined as, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
The safeguards are part of three central measures used to create a well rounded outline for HIPAA compliance in covered entities and business associates. The Physical safeguards guide the way that electronic protected health information (ePHI) is guarded from unauthorized access, tampering, or destruction in physical locations like data centers.
One of the most damaging physical threats is unauthorized physical access, meaning that an attacker or insider gains direct access to server hardware or the facilities. Deliberate physical attacks such as sabotage and vandalism are another threat. Sabotage involves intentionally damaging or disabling servers and networking equipment to disrupt email services or cause loss of data.
This can include actions like cutting cables, damaging hardware components, or disabling power supplies. Vandalism, though sometimes less targeted, similarly harms physical assets, potentially resulting in email downtime or data destruction.
A Cognitive Technological Workplace study exploring insider threats notes, “Based on insiders’ intentions two types of IsT exist: intentional (also known as malicious) and unintentional (also known as accidental) which can be posed by an individual or a group (Predd et al. 2008) and it is unintentional IsT (UIsT) that is of interest to this work. Unintentional insiders do not mean to harm the organisation, but their actions or inactions can put assets and operations of the organisation at risk, affecting systems’ confidentiality, integrity and availability (CIA security triad).”
Employees or contractors with authorized access may inadvertently or maliciously compromise physical safeguards by failing to follow security protocols, sharing access credentials, or bypassing security controls.
The fundamental reason physical safeguards are necessary is that the security of electronic communications cannot be guaranteed solely by software or network controls. While encryption, firewalls, user authentication, and other technical safeguards protect the logical aspects of email security, they do nothing if an attacker can physically access the server or storage device. Physical access allows malicious actors to steal hardware, insert rogue devices, bypass encryption by extracting data directly, or disrupt email services through damage or sabotage.
The above mentioned study found that, “Physical security safeguards were only mentioned 12.5% (5/40) of all occurrences of safeguards.” The rationale behind protection is straightforward: if unauthorized individuals cannot get near the hardware, they cannot physically steal or tamper with sensitive content, a failure point often exploited in healthcare breach incidents. Physical safeguards also mitigate the risk of insider threats by clearly defining and enforcing boundaries on physical access.
The HIPAA Security Rule sets national standards for protecting ePHI by requiring healthcare organizations to implement administrative, physical, and technical safeguards.
It applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who create, receive, maintain, or transmit ePHI on their behalf.
The update eliminates the distinction between required and addressable specifications, making all safeguards mandatory. It introduces requirements like the use of encryption of data at rest and in transit for purposes such as email communication, regular vulnerability scans and penetration tests, enhanced incident response plans, and stronger vendor oversight.
When an email provider handles, stores, or transmits ePHI.
Yes, both covered entities and business associates must implement physical safeguards to protect patient information.