The first thing to keep in mind with all physical security site reviews is, that because your security risk assessment is required to be organization-wide, your physical security assessment should include all of the locations your organization controls (locations controlled by Business Associates are not required to be visited, but you may decide to do so)This includes all locations where health care delivery is conducted, all locations where servers or technology infrastructure are maintained, and all locations where paper PHI is maintained. If you fail to visit all of the locations, the risk assessment will not meet the organization-wide requirement.
A physical security site assessment is best conducted when it is unannounced to the general staff.
This is the best way for observing the most accurate state of the facilities. Staff tend to be on heightened alert when they know any type of assessment is underway, which might not be indicative of standard practices.
A thorough physical security site assessment will look for items such as,
Positioning of computer monitors to determine if they can be viewed by unnecessary staff or the patients;
Posting of Notice of Privacy Practices;
Badge utilization by staff;
Escorting of guests;
Locking of restricted areas include where samples and technology equipment are kept;
Identifying unlocked and unattended workstations; and
Overhearing conversations that include PHI.
Any one of these items pose a risk to PHI, and each one can best be identified and assessed through a physical security site assessment. The risks identified in the physical security site assessment should be included in the Security Risk Assessment report, and remediation activities should be included in the risk management plan.
While they are time consuming, physical security site reviews are an essential part of conducting an organization-wide risk assessment, and thus are a valuable investment of time and resources.