OCR Issue Advice on Importance of Facility Access Controls in Latest Cybersecurity Newsletter

The Office for Civil Rights (OCR) has issued a reminder to all HIPAA-regulated entities through its latest cybersecurity newsletter. Facility Access Controls are not a formality, they are a necessary aspect in securing electronic protected health information (ePHI). As cyber threats continue to grow, OCR’s August 2024 newsletter discusses the importance of implementing physical security measures to protect ePHI from unauthorized access. This is highly relevant in healthcare settings where physical security is often overlooked.

The Importance of Physical Security

Much of the focus within the healthcare sector in recent years, has been on protecting ePHI from cyber threats such as hacking, malware, and ransomware. The OCR states that the physical security of facilities housing ePHI is equally important. In the newsletter, while the majority of data breaches derive from cyber incidents, a sizeable portion—17%—are attributed to lost or stolen devices, yet only 7% of security decision-makers are concerned about this risk. The newsletter draws attention to the fact that from 2020 to 2023, the OCR received over 50 large breach reports related to the theft of devices containing ePHI, affecting more than 1,000,000 individuals. These incidents violate patient confidentiality, and can also disrupt healthcare delivery, when devices such as servers or medical equipment, are stolen or damaged. The OCR stresses that without proper physical security measures, regulated entities are leaving a weakness unaddressed.

Implementing the Facility Access Controls Standard

The OCR’s newsletter addresses the Facility Access Controls standard of the HIPAA Security Rule, which requires that regulated entities implement policies and procedures to limit physical access to their electronic information systems and the facilities where they are housed. The newsletter breaks down this standard into four implementation specifications:

Contingency Operations

The OCR explains that contingency operations involve establishing procedures that allow for physical access to facilities during emergencies. This supports the execution of contingency plans when normal operations are disrupted. The newsletter advises regulated entities to consider who needs access during such events, how to grant that access quickly, and whether there are other methods to ensure that facilities and ePHI remain secure during an emergency.

Facility Security Plan

A facility security plan allows entities to protect their physical facilities and equipment from unauthorized access, tampering, and theft. The OCR recommends that regulated entities develop a customized security plan adjusted to their risks and needs. This could include the use of surveillance systems, alarm systems, and access control mechanisms. Regular training and updates to the security plan are also mentioned in August’s newsletter.

Access Control and Validation Procedures

Access control and validation procedures are necessary to regulate who can enter different areas of a facility based on their role. The OCR suggests that regulated entities implement procedures to control access for their personnel, including staff, contractors, and visitors. This could involve using keycards, sign-in sheets, and escorts to ensure that only authorized individuals have access to sensitive areas.

Maintenance Records

The OCR remarks the importance of documenting and retaining maintenance records for any repairs or modifications to the physical components of a facility. These records help maintain accountability and ensure that security measures are not compromised during maintenance activities. The newsletter advises that maintenance records include details such as the date, time, and nature of repairs, as well as the names of individuals responsible for overseeing these activities.

Enforcement Actions

The OCR’s newsletter also discusses the measurable impact of failing to implement strong facility access controls. It mentions a 2018 enforcement action involving Fresenius Medical Care North America (FMC), where the theft of electronic devices from FMC facilities led to multiple data breaches. The OCR’s investigation revealed that FMC had not conducted a risk analysis, failed to implement encryption, and lacked strong policies for managing physical security. These oversights resulted in a $3.5 million settlement.

The OCR’s August 2024 newsletter delivers a clear message. Facility Access Controls are a necessary aspect of HIPAA Security Rule compliance and should not be treated as a trivial exercise. As the healthcare sector continues to face increasing cyber and physical threats, entities must ensure that their physical security measures are strong, up-to-date, and integrated into their security strategy.

Photo credits: Geber86, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter