Policy & Guidelines for Physical Security

General Information

  • Records of paper that include protected Health information must be secured. All incidents that may involve the loss or theft of any such paper records must be reported immediately.
  • Call: 0120-4108931 to report potential breaches
  • Medical record and Health Information must be placed and used minimizing incidental disclosure of PHI.
  • There should be no distinction of patient data and medical records and PHI.
  • We recommend having a process for tracking/logging the location of medical records and PHI while in use, transit or storage


  1. The health information must be stored where the access is regulated. All offices, rooms and facilities that contain other than public information resources will be protected accordingly to prevent unauthorized access, damage or interference to the business processes.
  2. Sensitive documents will be locked in file cabinets or other protective furniture that takes into account the results of the risk analysis.
  3. We suggest the storage of medical records and PHI in hallways that are accessible by unauthorized individuals should be in locked cabinets.
  4. Only locked shelves in patient or research subject area.
  5. No reachable shelves in places which are open to individuals not authorized to access those medical records and PHI.
  6. Medical Records and PHI should be stored out of sight of unauthorized individuals, and should be locked in a cabinet, room or building when not supervised or in use.
  7. Monitoring could include any or all of the following technologies, based on the outcome of the physical security risk assessment and access control through the following:
    • Locked file cabinets, desks, closets or offices
    • Mechanical Keys
    • Glass break sensors
    • Door and window opening alarms
    • Hold open sensors for doors or windows
    • Always-active door alarms for emergency exits and other little used doors
    • Above or below ceiling sensors (sites with false ceilings and walls that do not extend from floor to ceiling
    • Motion/heat sensors for sensitive working areas
    • Security Patrols
    • Closed circuit TV or video cameras
    • Change keypad access codes on a regular basis
    • Assign an Individual to manage assess and control the document access areas.
    • Identify individual(s) with the authority to grant access to an area


Designated Record Set: Medical, Clinical and billing records about an individual maintained or used individual’s treatment, appointment booking and decision making. This record set is subject to an individual’s right to request access and amendment.

Medical Record stated for the purpose of the policy guidelines ‘medical record’ Problem List; History and Physical; Diagnosis and prognosis notes and reports, Progress Notes (including documentation); Neuroimaging and other pathological reports Previous Consultations; and Photographs.

Protected Health Information (PHI)

Any individually identifiable health information, including demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity PHI contains information used to identify an individual and relates to:

PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:

  • The individual’s past, present or future physical or mental health or condition of an individual; OR
  • he past, present or future payment of health care to an individual; OR

Data is used to identify an individual if it contains either the name of the patient or any other data that could be taken together or used with other information in order to ascertain the identity of an individual. (For example: date of birth, medical records number, address, phone number, email address, IP address, license numbers, photograph or a list of HIPAA Identifiers)