HHS Cybersecurity Newsletter Explains HIPAA Facility Access Control Requirements

HHS's Office for Civil Rights (OCR) has recently released its latest cybersecurity newsletter to remind HIPAA-covered entities, which include employer-sponsored health plans, and business associates (collectively, “regulated entities”), that physical security measures such as facility access controls are essential for HIPAA Security Rule compliance. These measures help prevent unauthorized access to electronic protected health information (ePHI) as the incidences of cyberattacks and breaches of ePHI are increasing.

The newsletter highlights the importance of implementing proper physical safeguards, including facility access controls. It notes that OCR received over 50 large breach reports (i.e., breaches of unsecured PHI involving 500 or more individuals), affecting over 1,000,000 individuals attributable to stolen equipment and devices containing ePHI from 2020 to 2023. These breaches involved equipment and devices such as workstations, servers, laptops, external hard drives, backup devices, flash drives, smartphones, and medical devices. Regulated entities should ensure that they have proper physical safeguards in place to deter and prevent unauthorized access.

The Facility Access Controls standard of the HIPAA Security Rule consists of four implementation specifications that must be considered when assessing the sufficiency of facility access controls:

• Contingency Operations. Regulated entities must establish a contingency plan to respond to an emergency or other occurrence that damages systems containing ePHI. Emergencies can include natural disasters (e.g., floods or fires) and human actions (e.g., malicious actions such as hacking and malware attacks and non-malicious actions). When developing contingency operations procedures, regulated entities can consider who requires access, who is responsible for the organization’s contingency plans, alternative means of accessing facilities and ePHI, and what activities and resources would be needed for diverse types of emergencies.
• Facility Security Plan. Regulated entities must establish policies and procedures to protect facilities and equipment from unauthorized physical access, tampering, and theft. When creating a facility security plan, regulated entities may consider how the following items are addressed in a plan: surveillance cameras, alarm systems, property control/inventory tags, employee/contractor ID badges and visitor badges, private security guards/patrols, facility escorts for visitors/contractors, and biometric, electronic, and/or mechanical security systems. Moreover, regulated entities may consider workforce training and annual reviews, updating the facility security plan, and testing the facility security plan.
• Access Control and Validation Procedures. Regulated entities must control and validate access to facilities based on an individual’s role or function, including visitor control and access to software for testing and revisions.
• Maintenance Records. Regulated entities must establish policies and procedures to document information and retain records about repairs and modifications made to the physical components of a facility related to security (e.g., hardware, doors, and locks).

The newsletter reminds regulated entities that the failure to implement facility access controls can result in a breach of PHI and potential enforcement actions by OCR.

Plan sponsors and fiduciaries should regularly evaluate their facility access controls standards to make sure that they include reasonable and appropriate contingency operations, facility security plans, access controls, policies and procedures, maintenance of records, and training of their workforce members on the facility security plan.

August 2024 OCR Cybersecurity Newsletter