HIPAA Environmental Monitoring Standards

Greetings and welcome back!  This week we continue our series on the cyber, physical and operational security standards for HIPAA compliance.  Specifically, we take a look at HIPAA Environmental Monitoring Standards for the cooling and protection of the servers where your ePHI is stored.


Medical records must be protected from more than just cyber or physical threats. HIPAA Security standards require that they must also be protected from destruction in the event of a natural or environmental event. This is specifically provided for in

HIPAA Section 164.304“Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards…

What are some of the environmental hazards that can cause the downtime, damage or data loss in the electronic information systems?  Here are a few that have been singled out in data environments:

  1. HVAC Cooling failure in server room or network closet resulting in overheated servers and downed ePHI systems
  2. Server cooling fan failure resulting in shutdown of ePHI server
  3. Water leak over servers or network equipment resulting in destruction of ePHI servers and data

All of these environmental problems are real problems that are often cited for failure of Information Systems equipment. As shown in this recent study of IT Systems Failure by the Uptime Institute, environmental-related failure is the 3rd largest cause of system downtime.  If you add “Weather Related” including water from heavy rains, etc, you get over one quarter of all IT system failure is due to environmental causes.

HIPAA Environmental Monitoring Standards

HIPAA requires all covered entities and business partners to have environmental monitoring for the rooms that contain their ePHI but, very few have taken this requirement seriously.  Because over a quarter of all ePHI system failure and data loss is related to environmental causes (and data loss is a HIPAA violation), it is penny-wise and dollar-foolish to fail to provide proper environmental monitoring for your server rooms.

Our RackGuardian system is purpose-built to provide cyber, physical and operational protection for all of your environmental control systems.  Please think about this and feel free to give us a call to confidentially discuss the protection of your critical server and network rooms.

Until Next Time,

Be Well!