The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued new guidance emphasizing the importance of physical security measures in protecting electronic protected health information (ePHI) under the HIPAA Security Rule. Due to the rise in cyberattacks and data breaches, it is essential for HIPAA-covered entities and their business associates to implement Facility Access Controls. These controls help ensure the confidentiality, integrity, and availability of ePHI.
According to OCR, despite the focus on digital security, physical threats such as theft of equipment still account for a significant portion of data breaches. From 2020 to 2023, over 50 large breaches affecting more than 1,000,000 individuals were reported to OCR, primarily due to stolen devices. These incidents underline the necessity for regulated entities to implement physical safeguards.
The HIPAA Security Rule’s Facility Access Controls standard requires regulated entities to establish policies and procedures to restrict physical access to their electronic information systems and the facilities where they are located, while still allowing access for authorized individuals. This standard is divided into four addressable implementation specifications: contingency operations, facility security plan, access control and validation procedures, and maintenance records. These specifications provide a framework for regulated entities to assess and implement appropriate measures based on their specific environments.
Contingency operations involve establishing procedures that ensure access to facilities during emergencies or disasters, enabling the execution of contingency plans and restoration efforts. These procedures are vital for maintaining the security and availability of ePHI during unexpected events, whether caused by natural disasters or human actions.
The facility security plan specification requires entities to develop and enforce policies to protect their facilities from unauthorized access, tampering, and theft. This plan should be tailored to the unique circumstances of each entity and may include various security measures such as surveillance cameras, alarm systems, and controlled access points. Regular training, reviews, and testing of the plan are also recommended to ensure its effectiveness.
Access control and validation procedures focus on controlling and verifying who has physical access to facilities based on their roles or functions. This involves procedures for managing access by staff, contractors, visitors, and others, potentially through measures like sign-in protocols, escorts, or electronic key cards.
The maintenance records specification requires entities to document repairs and modifications to physical security components. These records help maintain accountability and ensure that security measures remain effective over time. Documentation should include details such as the date, time, location, and description of the maintenance activities, as well as the individuals responsible for overseeing and authorizing these activities.
Compliance Perspective
Issue
Within the healthcare sector, the HIPAA Security Rule applies to covered entities and their business associates and ePHI. Because ePHI identifies individuals and includes information relating to an individual’s health, treatment, or payment information, it is a valuable target for cybercriminals. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. The Facility Access Controls standard of the HIPAA Security Rule requires that regulated entities “[i]mplement policies and procedures to limit physical access to [their] electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.” Failure to implement Facility Access Controls can lead to a breach of PHI and potential enforcement actions by OCR for such failures.
Discussion Points
- Review policies and procedures on the HIPAA Security Rule and Facility Access Controls, making sure the four implementation specifications are addressed. Ensure policies and procedures for controlling access account for various roles and groups including, for example, staff, contractors, visitors, volunteers, interns, non-staff providers, and probationary employees.
- Train relevant staff on the Facility Access Controls, including detailed instruction on implementing the facility security plan. Ensure that specific training on documentation and retention of maintenance records is provided to staff responsible for these tasks. Training should cover the importance of accurately recording repairs and modifications to security components and maintaining these records for accountability and compliance.
- Implement a regular auditing schedule to assess the effectiveness of physical access controls. Audits should verify that access to electronic information systems is appropriately restricted and that only authorized individuals have access. Additionally, ensure that audit findings are reviewed and acted upon to address any identified gaps or non-compliance issues.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
