must be addressed as part of the physical
safeguards of the covered entity. This standard (which
has no subsidiary implementation
specifications) requires "implement[ation of] physical
safeguards for all workstations that access electronic
protected health information,
to restrict access to authorized users."
defined as "an electronic computing device, for example,
a laptop or desktop computer, or any other device that performs
similar functions, and electronic media stored in its immediate
environment." (164.304) Thus PDAs, tablet computers,
and other portable/wireless devices are included. (DHHS noted
specifically in its Final Rule commentary that the workstation
standards are not to be interpreted as limited to "fixed
location devices." Final Rule, p.122)
The critical variable
is not the particulars of the device itself, but whether it
can access or store PHI. If it can, formal, documented policies
and procedures must be in place, and the covered entity must
take reasonable, appropriate steps to assure that the policies
and procedures are followed.
For fixed location
devices, these might include specifications for secure locations.
For portable ones, they might include limitations on what
devices can leave the facility. The particular rules would
be determined by, among other things, results from the covered
entity's risk analysis and risk management efforts, required
as part of the security
management process standard.