Lack of controls to prevent unauthorized physical access, tampering, and theft

Risk: Lack of controls to prevent unauthorized physical access, tampering, and theft.


Explanation: The physician’s facility should be secure so that PHI and related equipment cannot be tampered with in any way. Securing PHI would mean that only the staff that is authorized to access PHI must access it. This would mean securing equipments, workstations and in some cases entire facilities so that only authorized staff is allowed to enter these facilities.

Major Mitigation: Review of risk data on anyone requiring access to ePHI, whether they are staff, patients, visitors or business partners need to be done.

The following are some methods for mitigating this kind of risk as suggested by the Department of Health and Human Services in their HIPAA Security Series [9, 10 and 11]:

  • Locked doors, signs warning of restricted areas, surveillance cameras, alarms.
  • Property controls such as property control tags, engraving on equipment.
  • Personnel controls such as identification badges, visitor badges and/or escorts for large offices.
  • Private security service or patrol for the facility.

Secondary Mitigation: All persons accessing PHI must be well aware of their roles in maintaining security in the facility. Procedures and processes would also need to be kept up to date when there are changes in the information systems or the environment.

Success Criteria: Periodic monitoring of facilities to ensure that policies and procedures are being followed. Third party audit of physician practices.