Mitigating and avoiding physical breaches in healthcare

Among the requirements outlined in HIPAA, physical safeguards are necessary to ensure patient confidentiality. This is because patients’ protected health information (PHI) may be stored as physical, paper records or as electronic records on devices in a physical location. Physical safeguards, then, play a vital role in protecting healthcare organizations against physical breaches.

As more organizations shift their focus to digital landscapes, physical buildings have become attractive entry points for threat actors who want to access and/or steal PHI. Breaches of physical buildings can cause serious consequences for healthcare providers, patients, and their information. Given that threats against buildings exist today, healthcare organizations need to understand more about safeguarding their property and how to avoid the threat and/or the aftermath in case they do occur.

See also: HIPAA compliant email: The definitive guide (2025 update)

Cybersecurity threats to healthcare

The Health Insurance Portability and Accountability Act (HIPAA) sets the rules and regulations surrounding access to and disclosure of PHI. The HIPAA Privacy Rule establishes the national standards to protect PHI, while the Security Rule creates a framework for the defense of electronic PHI (ePHI). To enhance data confidentiality, healthcare organizations must prioritize HIPAA compliance by using strong security measures.

HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.

Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.

The Security Rule and physical safeguards

The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure. It provides both addressable and required specifications to give covered entities flexibility over security, requiring healthcare professionals to implement layers of administrative, technical, and physical safeguards. Administrative safeguards focus on policies and procedures, technical safeguards on cybersecurity, and physical safeguards on facilities.

Physical safeguards prevent unauthorized physical access to buildings, along with theft, damage, or loss of physical assets that could compromise the security of patient information. They should encompass a range of security strategies, policies, and procedures that govern physical access, protection, and the handling of PHI. These safeguards are designed to defend an organization’s physical infrastructure and assets, including an organization’s building, its perimeter, and the offices and equipment within.

Of course, it also includes storage areas where sensitive information is stored and processed. In fact, physical safeguards could extend outside of the actual building, even beyond its perimeter. This is particularly true when employees work remotely from home or in any other location and access ePHI.

More info: What are administrative, physical and technical safeguards?

Examples of physical safeguards

Physical safeguards aim to safeguard the confidentiality, integrity, and availability of PHI within a physical environment by controlling physical access, preventing unauthorized intrusion, and mitigating in-person risks. Examples of physical safeguards to utilize include:

• Perimeter security
• Video surveillance systems
• Visitor management procedures
• Alarm and intrusion detection systems
• Secure storage for equipment
• Workstation use policies
• Environmental controls
• Data destruction guidelines
• Fire suppression systems
• Physical barriers for data cables
• Proper paper records disposal

These safeguards prevent unauthorized physical access to sensitive data and even protect the information from natural and environmental hazards. They reduce the risk of theft, damage, or loss of physical assets that could compromise data security.

Look further: What physical safeguards are required by HIPAA?

Physical issues that could lead to breaches

Issues that can cause physical breaches include:

1. Broken locks on doors
2. Doors left propped open
3. Disabled alarms
4. Utility disruptions and/or failures
5. Insufficient surveillance and monitoring tools
6. Missing access controls
7. Lost key cards
8. Stolen credentials
9. Computers left open with no password enacted
10. Missing encryption
11. Inventory loss
12. Stolen devices
13. Improper device or record disposal
14. Natural disasters

Theft or loss of physical devices such as laptops, hard disks, or other portable devices can lead to the exposure of PHI.

Reasons for physical breaches in healthcare

Physical breaches occur in healthcare because of a variety of mistakes centered on both human error and missing security. A simple error can open any (physical) door to medical information, ePHI, permanent and portable devices, and paper records. A good example of this is when a medical testing facility left paper records containing PHI in a dumpster.

At least 85% of data breaches are attributed to an individual’s mistakes. The dumped files were found by a local restaurant worker who then contacted a media outlet about them. An analysis of breached locations by Verizon’s 2019 Data Breach Investigations Report reveals that paper documents, including physical files and films, such as those records left by the medical testing facility, are the most susceptible to physical breaches.

Therefore, both employee training and access controls are critical to implementing adequate physical safeguards, as thieves steal devices as much as they rely on employee errors. By restricting access, a healthcare organization can control information from falling into the wrong hands and causing major issues for organizations and patients.

Consequences of physical breaches

A lack of physical security measures can be costly to healthcare organizations, from loss of data to loss of patients. The Department of Health and Human Services' Office for Civil Rights (OCR) has settled several cases where PHI was exposed due to inadequate physical security. For instance, Lahey Hospital and Medical Center paid $850,000 in HIPAA fines after an unencrypted laptop was stolen from an unlocked treatment room, compromising the ePHI of 599 patients.

In another case, QCA Health Plan settled with OCR for $250,000 due to the theft of an unencrypted laptop from an employee's vehicle. Damage, however, can go beyond fine-related fees, with other challenges including:

• Ransom costs and the possibility of not getting access to encrypted or exfiltrated data
• Loss of confidence from patients and stakeholders
• Compromised healthcare data
• Patients being hit by identity theft or blackmail themselves
• Disruption of services
• Repeated attacks after being considered an easy target by hackers
  
  

The aftermath: mitigating physical breaches

The reality is that physical breaches do occur. Healthcare organizations must know what to do to mitigate the situation. Healthcare organizations can begin to reduce the impact of such breaches by updating and then implementing more rigorous security measures. That may mean more stringent physical controls for a specific building or for a specific room.

Organizations must employ measures to halt potential harm, such as retrieving paper records left out in the open and providing training for staff on accessing paper files, electronic devices, and facilities. They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further.

After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again. Proper mitigation after a breach can keep more patient data from being exposed and protect a healthcare organization from committing a HIPAA violation.

Avoiding physical breaches in healthcare with HIPAA compliance

HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid physical breaches include:

1. Establishing up-to-date policies and procedures
2. Using business associate agreements (BAAs) when working with third parties
3. Considering what needs to be physically safeguarded and how
4. Specifying physical access controls and limiting access to certain areas/devices
5. Using the principle of least privilege to classify data
6. Tracking the disposal of devices as well as secure storage facilities
7. Implementing a secure facility design
8. Using continuous employee awareness training
9. Ensuring proper technological safeguards, such as data encryption
10. Creating data backup and disaster recovery plans in case of an incident
11. Regularly auditing and monitoring systems
12. Having an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.

Dive deeper:

• How physical safeguards can help in securing email communication
• What physical safeguards can dental offices implement for HIPAA compliance?
• The physical safeguards for mental health practice HIPAA compliance

FAQs

Who needs to implement HIPAA safeguards?

All covered entities under HIPAA, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, must implement these safeguards.

What is physical security in HIPAA compliance?

Physical security refers to the measures taken to protect physical locations, equipment, and facilities that store or access PHI from unauthorized access, theft, or damage.

What are some components of physical security under HIPAA?

Components include controlled access to facilities, surveillance systems, security personnel, secure disposal of PHI, and proper maintenance of physical environments to protect against environmental hazards.

How can healthcare organizations ensure secure access to facilities?

Organizations can implement access controls such as key cards, biometric scanners, and visitor logs to restrict entry to authorized personnel only, ensuring that PHI is not exposed to unauthorized individuals.