Physical Security and HIPAA: What You Need to Know Now

by Michael Ruano, CHS

This article is the final installment of a 10-part series that introduced the domains of information security and related them to federal HIPAA regulations. The information security domain of physical security covers threats against and the controls required to protect facilities, equipment, personnel, and essential services. These are the physical components of the infrastructure that supports information-management processes.

While HIPAA protects only healthcare information, the broad and general information security concepts can be effectively used for HIPAA remediation. The information security tenets covered by physical security are reflected in the HIPAA regulations when they state, “a covered entity must…establish and implement policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information...implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft...establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”Meeting these requirements is impossible without a thorough understanding and application of physical security controls.

The Role of Facilities

Facilities provide many functions that protect information. They serve to prevent natural elements from harming equipment, personnel, and media. They protect equipment, personnel, and services from damage caused by either natural or manmade sources including weather, weapons, fire, and floods. In addition, they provide barriers to unauthorized access.

To ensure appropriate protection, a secure site must first be chosen and the facility must be designed with security in mind. The facility’s location and design must try to avoid disasters as much as possible within the constraints of its functional requirements. For existing facilities, improvements and additions must also take these factors into account. The overall design should be strong and secure with protections for personnel, utilities, and all other required services and functions, and have the ability to withstand or minimize the effects of all likely disasters.

Finding the Right Equipment

Equipment can be either information technology-related or supportive in nature. It provides the functioning required to manage information whether directly or indirectly. It is susceptible to unauthorized access and damage as a result of problems with facilities, personnel, services, and their related processes.

Facilities provide some of the protections required by equipment such as protection from the elements and unauthorized access. Supportive equipment such as fire-prevention systems and alarm systems protect by either suppressing disasters or alerting personnel quickly to mitigate the disaster. Unlike facilities, equipment can sometimes be moved during or shortly after a disaster to prevent further harm.


Personnel provide a unique and indispensable role in both providing and requiring physical security. Facilities protect personnel. Equipment also protects them, notifying and aiding them in responding to physical security incidents. Personnel are the most sensitive of all the resources involved and likely to receive injury as a result of an incident. They are also the most flexible and capable resource in both preventing and responding to any emergencies.

Personnel are responsible for planning and preparing for physical security. They can be called on to perform contingency roles and moved quickly to locations to effectively remediate situations. Planning and responding to emergencies must always take into account the human element including housing, trauma, stress, and the emotional needs of individuals.

Dependable Services are Key

Services include utilities such as power, water, and telecommunications as well as police and fire departments, off site storage of media, and others. These services are required for information management and as a deterrent and response to incidents. A lack of dependable services can directly or indirectly cause an incident or affect the response to incidents.

The planning for redundant or alternate services must be considered in planning physical security. In some cases, alternate facilities may need to be used if core services are unavailable. Examples of solutions to this problem may be generators, reverse osmosis filtration systems, and redundant network design.

An understanding of information security is required to help comply with the HIPAA regulations. By understanding the information security domains and their concepts, an information security program can be followed that will protect patients, their information, and the healthcare organization.

Michael Ruano, CHS, is the information security officer for Rockford Health System in Rockford, IL. He can be reached at (815) 971-6849 or via e-mail at

Article citation:
Ruano, Michael. "Physical Security and HIPAA: What You Need to Know." IN Confidence 11:12 (December 2003), p.3.