OCR: Don’t Neglect Physical Security Controls for ePHI
In its August 2024 cybersecurity newsletter, OCR reminded HIPAA-regulated entities that physical security measures such as facility access controls are essential for HIPAA Security Rule compliance, and should not be thought of as check-the-box items. Physical security measures are important and can prevent data breaches and disruption to patient care.
The HIPAA Security Rule operationalizes the protections of the HIPAA Privacy Rule and establishes a set of standards for safeguarding electronic forms of protected health information (ePHI). HIPAA Security Rule compliance involves ensuring the confidentiality, integrity, and availability of ePHI, identifying and protecting against reasonably anticipated threats, protecting against reasonably anticipated uses and disclosures of ePHI, and ensuring compliance by the workforce.
Over the past few years, the biggest threats to ePHI have come from cybercriminal groups and nation-state actors, who seek access to healthcare networks to steal ePHI and prevent access to ePHI and essential IT systems. While the majority of large data breaches are due to hacking and other IT incidents, a significant percentage of data breaches involve a lack of physical safeguards. The 2023 State of Data Security Report from Forrester Research found that 17% of data breaches are due to lost and stolen devices, including desktop computers, servers, laptops, backup devices, and flash drives, yet only 7% of security decision-makers were concerned about the loss or theft of these devices resulting in a security breach.
From January 1, 2020, to December 31, 2023, OCR received more than 50 reports from HIPAA-regulated entities about data breaches that affected 500 or more individuals which were due to lost and stolen devices containing ePHI. Those breaches involved the ePHI of more than 1,000,000 individuals. While these types of breaches occur in far fewer numbers than hacking incidents, they are among the easiest data breaches to prevent through the encryption of data on electronic devices and the implementation of physical security measures.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Many of the theft incidents reported to OCR involved electronic equipment stored on-premises. The theft of desktop computers and portable electronic devices containing ePHI not only violates patient privacy, it can also impact care delivery. If devices containing patient records are stolen, clinicians may be prevented from accessing patients’ ePHI, and the theft of devices used for diagnostic or treatment services could impact care delivery. Thieves have been known to damage essential IT infrastructure in addition to stealing devices, such as equipment that is required for network connectivity, cooling, or powering devices which can further impact care delivery.
OCR explains in the newsletter that if appropriate physical security measures are not implemented, ePHI is not fully secured. In 2018, OCR announced that a $3.5 million settlement had been agreed with Fresenius Medical Care North America (FMC) to resolve violations of the HIPAA Security rule that contributed to five data breaches in 2012, all of which involved the loss or theft of devices from FMC facilities and employee vehicles. Three of those incidents involved electronic devices stolen in break-ins at FMC facilities. OCR found there was a failure to conduct a risk analysis, no mechanism for encrypting data, a failure to implement policies and procedures concerning the receipt and removal of devices from its facilities, a lack of policies to address security incidents, and a failure to implement policies and facilities to safeguard its facilities and equipment stored at those facilities.
The cybersecurity newsletter focuses on the Facility Access Control standard of the HIPAA Security Rule, which requires regulated entities to implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed. Implementing physical security measures to prevent or deter unauthorized access to facilities where ePHI can be accessed is vital for compliance with this Security Rule standard, although it is only one aspect.
There are four implementation specifications under this standard, including contingency operations, a facility security plan, access and control validation procedures, and maintenance records. These are addressable specifications which means that an assessment is required to determine if they are reasonable and appropriate, and if so, those measures should be implemented. If they are not reasonable and appropriate, the reason why must be documented, and other measures should be implemented that provide an equivalent level of protection.
OCR explains each implementation specification and offers advice for regulated entities on compliance with the Facility Access Control standard and warns that these measures should not be thought of as box-checking items on a HIPAA compliance checklist. “Facility security is a vital part of a regulated entity’s overall security plan to protect PHI and should be considered holistically with an entity’s overall cybersecurity plan and HIPAA compliance program,” explained OCR.
