OCR: Physical Security Measures Essential for HIPAA Security Rule Compliance

HPH Cybersecurity Performance Goals

Cyberattacks on healthcare organizations have increased significantly in recent years. According to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), between 2018 and 2022, there was a 278% increase in large data breaches stemming from ransomware and a 239% increase in hacking-related data breaches. While these incidents continue to account for the vast majority of healthcare data breaches, remote access to network servers is not the only way that electronic protected health information (ePHI) can be stolen.

The HIPAA Security Rule requires technical, physical, and administrative safeguards to be implemented to ensure the confidentiality, integrity, and availability of ePHI, and given the high numbers of hacking incidents it is all too easy to focus resources on preventing remote access to network servers and other internet-accessible devices and systems. OCR has drawn attention to the importance of implementing physical security measures in its August 2024 Cybersecurity Newsletter.

According to OCR, recent research suggests that only 7% of data security decision-makers are concerned about data breaches due to lost and stolen devices; yet 17% of data breaches reported to OCR involve ePHI stored on lost or stolen equipment. The number of data breaches due to loss and theft has decreased considerably over the years, as increasing numbers of HIPAA-regulated entities adopt encryption for portable electronic devices and due to increasing use of the cloud for data storage; however, many of these breaches involved electronic equipment stolen in burglaries.

Between 2020 and 2023, OCR received more than 50 reports of large data breaches involving more than 1 million individuals’ ePHI stored on desktop computers, servers, medical devices, and portable electronic devices such as laptops, smartphones, flash drives, and backup devices. The theft of electronic devices not only puts patient privacy at risk. Device theft can also delay or impede the delivery of care and these incidents could easily involve unintentional or deliberate damage to physical structures and electronic components required for powering or cooling devices which can affect network connectivity and further impact the delivery of care.

In the cybersecurity newsletter, OCR reminds HIPAA-regulated entities that the HIPAA Security Rule requires them to implement appropriate physical safeguards, including Facility Access Controls, to deter and prevent unauthorized access to facilities. If facilities containing electronic equipment are not protected with appropriate physical security measures, ePHI has not been fully secured.

The Facility Access Controls standard of the HIPAA Security Rule has four implementation specifications

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • Contingency operations
  • Facility security plan
  • Access control and validation procedures
  • Maintenance records

These implementation specifications are “addressable” rather than “required,” which means HIPAA-regulated entities must assess whether the specification is reasonable and appropriate for their environment. If it is, then the measures should be implemented. If it is not, then the reasons why those measures are not appropriate must be documented and alternative measures should be implemented if they are reasonable and appropriate.

The Cybersecurity Newsletter includes several resources to help HIPAA-regulated entities improve physical security to meet their obligations under the HIPAA Security Rule, explanations of each of the above implementation specifications, and suggestions and recommendations to help regulated entities achieve compliance.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/