Although most entities subject to HIPAA spend considerable time and effort protecting their electronic networks from the latest hacking scam, malware, or ransomware variant, it is important to remember that electronic access is not the only way to access electronic protected health information (ePHI) – some thieves walk right through the front door. Thus, it is important that healthcare providers and business associates not neglect the physical security of their premises, including by implementing the appropriate Facility Access Controls outlines in HIPAA’s Security Rule.
In its recent newsletter, OCR cites to research suggesting that only 7% of those responsible for data security are concerned with breaches due to lost or stolen equipment, even though such incidents account for 17% of HIPAA breaches. In three years, OCR received over 50 large breach reports affecting over 1 million individuals attributable to stolen equipment and devices containing ePHI. Such equipment was often stolen during a burglary and included workstations, servers, laptops, external harddrives and flash drives, smart phones, and medical devices.
The failure to implement Facility Access Controls can result in an enforcement action by OCR. For example, in 2018, OCR investigated a provider of products and services for people with chronic kidney failure for 5 separate breaches, 3 of which involved equipment stolen from the provider’s facility. The equipment contained patient names, admission dates, dates of service, dates of birth, Social Security numbers, telephone numbers, and addresses. OCR found potential violations of HIPAA due, in part, to the failure to implement policies and procedures to safeguard the facilities and equipment there in from unauthorized access, tampering, and theft. The provider resolved the investigation with a monetary settlement of $3.5 million and a corrective action plan to resolve potential HIPAA violations.
With that in mind, the Facility Access Controls standard of HIPAA requires covered entities to implement policies and procedures to limit physical access to their electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. 45 C.F.R. § 164.310(a)(1). This standard contains four addressable implementation specifications:
- Contingency operations – establish a contingency plan to response to emergencies that damage systems containing ePHI such as a natural disaster or human actions (hacking and inadvertent disabling or deletion of ePHI)
- Facility security plan – policies and procedures to protect against unauthorized physical access, tampering, and theft (e.g., surveillance cameras, alarm systems, inventory control system, employee and visitor badges, security guards, and biometic/electronic/mechanical security systems)
- Access control and validation procedures – procedures to control and validate access to a facility based on an individual’s role or function, including visit access control, determining and documenting access points in a facility, creating an inventory of technology assets, and ensuring equipment is monitored as necessary
- Maintenance records – policies and procedures to document information about repairs and modifications made to the physical component of a facility (hardware, doors, locks, etc)
As with any addressable implementation specification, HIPAA covered entities are requires to address whether a specific implementation specification is reasonable and appropriate to safeguard its environment, and if so to implement it. If the specification is not reasonable, the covered entity must document why and implement an alternative measure if reasonable and appropriate.
The attorneys at Chilivis Grubman represent clients of all types and sizes in connection with HIPAA compliance. If you need assistance with such a matter, please contact us today.