In today’s environment of increased cyber-attacks and breaches of electronic protected health information (ePHI) caused by hacking, malware, or ransomware, HIPAA covered entities and business associates (collectively, “regulated entities”) may overlook the need for vigilance with regard to the physical security of their ePHI. When it comes to ensuring the confidentiality, integrity, and availability of ePHI, regulated entities must ensure that the physical security of their facilities is not neglected. Recent data security research suggests that only 7% of data security decision makers are concerned with breaches due to lost or stolen equipment, even though these account for 17% of breaches.
From 2020 through 2023, the Office for Civil Rights (OCR) received over 50 large breach reports (i.e., breaches of unsecured protected health information (PHI) involving 500 or more individuals) affecting over 1,000,000 individuals attributable to stolen equipment and devices containing ePHI. Such equipment and devices were frequently described as being stolen during a burglary and included workstations, servers, laptops, external hard drives, backup devices, flash drives, smart phones, and medical devices. Regulated entities should ensure that they have proper physical safeguards, including Facility Access Controls, in place to deter and prevent unauthorized access.