In the cybersecurity newsletter published in August 2024, OCR emphasized that physical security measures like facility access controls, are important for HIPAA Security Rule compliance. HIPAA-regulated entities should not treat these measures as mere tasks to do. They are necessary for preventing data breaches and making certain of the continuity of patient care.
The HIPAA Security Rule implements the safeguards of the HIPAA Privacy Rule by establishing standards for protecting electronic protected health information (ePHI). Compliance with the Security Rule requires maintaining the integrity, confidentiality, and availability of ePHI, addressing foreseeable threats, preventing unauthorized uses and disclosures, and ensuring the adherence of employees to these protections.
In recent years, ePHI has been threatened by cybercriminal groups and nation-state actors, targeting healthcare networks to steal sensitive data and disrupt access to IT systems. Although most big data breaches result from hacking and other IT-related incidents, a notable portion is caused by inadequate physical safeguards. According to Forrester Research’s 2023 State of Data Security Report, 17% of data breaches are attributed to lost or stolen devices, such as laptops, desktop computers, flash drives, servers, and backup devices. Despite this, only 7% of security decision-makers expressed concern regarding these incidents that end in security breaches.
Between January 1, 2020 and December 31, 2023, HIPAA-regulated entities submitted to OCR over 50 data breach reports that involved lost or stolen devices with ePHI, each impacting 500 and up people. The ePHI of over 1 million people were exposed. Although less frequent than hacking incidents, these data breaches are among the easiest to avoid through data encryption in electronic devices and the use of physical security steps.
Many theft incident reports submitted to OCR involved electronic equipment located on-site. The theft of portable devices and desktop computers with ePHI breaches patient privacy and can also disrupt the provision of diagnostic or treatment services. Stolen devices with patient records can prevent doctors from accessing ePHI, which is necessary for making decisions concerning patient care. Additionally, thieves may damage IT infrastructure, such as the equipment for network connectivity, cooling, or running devices, even more limiting care delivery.
The OCR newsletter explains that without proper physical security measures, ePHI cannot be fully protected. In 2018, Fresenius Medical Care North America (FMC) paid $3.5 million to settle HIPAA Security Rule violations that led to five data breaches in 2012. The breaches were associated with missing or stolen devices from facilities and vehicles of FMC. In three incidents, electronic devices were stolen during break-ins. OCR identified several shortcomings, including the lack of a risk analysis, data encryption mechanisms, policies and procedures for device management, and security measures for protecting the facilities and equipment.
The cybersecurity newsletter talks about the Facility Access Control standard under the HIPAA Security Rule. As per this standard, HIPAA-regulated entities need to establish policies and procedures to restrict physical access to electronic data systems and their facilities, except for authorized persons. Physical security helps to avoid or deter unauthorized access to facilities containing ePHI and complies with the Facility Access Control standard, though it represents just one of the Security Rules.
The standard includes four implementation specifications:
- contingency operations
- a facility security plan
- access and control validation procedures
- records maintenance
These specifications should be addressable. Entities should assess if they are reasonable and appropriate for their circumstance. If they are deemed reasonable and appropriate, they should be implemented. If not, the reasons for this decision must be recorded. Alternative measures must be considered to achieve an equal level of security.
OCR discusses each implementation specification and gives covered entities guidance regarding Facility Access Control standard compliance. They caution against viewing these measures merely as checklist items for HIPAA compliance. Facility security is a part of a regulated entity’s security strategy to protect PHI and should be integrated holistically with the entity’s cybersecurity plan and HIPAA compliance.