The physical safeguards deal with the physical means used to implement the HIPAA security regulation; they draw on the administrative safeguards.

Note that the regulation is non-specific with regard to the actual safeguard to be implemented, they specify functions rather than the underlying technology to be used.  This allows for vendors and institutions to choose the best technical solution that is affordable and doable.  It also allows for updating technology as other means become available.  These safeguards include the following requirements:

• Facility Access Controls:  The physical means to limit physical access to information system and facilities.
• Contingency Operations (A):  Emergency facility access, especially for Zones One and Two needs to be documented and provided.
• Facility Security Plan (A):  Zone One can be access using ID cards or locks; Zone Two can be safeguarded by physical means to a certain extent; Zones Three and Four require strict policies because of easier access.
• Access Control and Validation Procedures (A):  For example, visitor access needs to be regulated for each zone (hospital access, ICU, ER), as well as in radiology.  One should especially be aware of service access by vendors; most radiology equipment allows a vendor to have access for service and diagnostic purposes.  This needs to be controlled such as by using defined access points.
• Maintenance Records (A):  One cannot just change physical access cards, locks, policies, etc.  without a procedure and means to document it. It will be different for Zones One, Two, and Three.
• Workstation Use (R):  Proper functions and surrounding of workstations need to be reviewed and addressed.  Secure locations for workstations are required, especially outside Zone One.  ER locations are important to protect; it is important to prevent someone looking over a shoulder.  One should also implement role-based access and limit allowable functions.  For example, an ER workstation should not have access to all images performed on a particular date from the complete institution, but rather be limited to those that are appropriate.
• Workstation Security (R):  Implement restricted access.  Restrict access controls using password, access cards, or even biometric devices (fingerprint, eye recognition).  Provide the security mechanism that makes sense in a particular environment, e.g., fingerprint recognition does not make sense in an environment where operators need to wear gloves or where there are a lot of fluids.
• Device and Media Controls:  Implement measures to deal with hardware and media containing PHI.
• Disposal (R):  The disks on disposed hardware should be carefully tracked or destroyed if discarded.  It is not sufficient to just "delete" the files on a disk prior to disposing them because a simple disk-recover software program can easily restore this information.
• Media Re-Use (R): Rewriteable disks or other media have to be controlled or erased.  This is particularly important for rewriteable MODs or DVDs that are used for some modalities (CT, Ultrasound), and floppies.
• Accountability (A):  Who is responsible for what hardware and media?  Make a list and make sure these people know they are accountable and agree to carry the responsibility.  For example, when a workstation computer is replaced with an updated version, who is responsible for properly discarding the old one?  Is it the IT department, radiology, the vendor, etc.
• Data Back-up and Storage (A):  Especially when moving or exchanging equipment, make sure there is a retrievable copy available.  This is often overlooked when upgrading a device to a new version; always make sure there is a way to restore to the previous version.