According to the HIPAA Security Rule, physical safeguards are defined as “the physical measures, policies, and procedures to protect a Covered Entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.”
Facility Access Controls set policies and procedures to limit access to the facilities that contain servers, computers, medical records rooms, or all the places that would hold PHI/ePHI. Be sure to put in place a Facility Access Policy.
Device and Media Controls defines not only the removal of hardware and electronic media that contain ePHI out of the facility, but also the movement of these items within the facility. Required standards include disposal and media re-use. In the event a computer will be repurposed ensure all data has been wiped clean before re-use.
Workstation Security must include the necessary steps to place physical safeguards on every device that will contain ePHI, in order to prevent unauthorized access. Specify the authorized functions for the device and the actions and websites users are allowed to access on these company-owned computers/machines. Have all staff sign an Acceptable Use of Information and Assets Policy on what they can and cannot do with the organization’s devices.