OCR Cybersecurity Newsletter Highlights Importance of Facility Access Controls

BACK TO INSIGHTS     Articles


9/30/2024

In its August 2024 Cybersecurity Newsletter, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, provided important information regarding facility access controls. According to the OCR,

From 2020 through 2023, the Office for Civil Rights (OCR) received over 50 large breach reports (i.e., breaches of unsecured protected health information (PHI) involving 500 or more individuals) affecting over 1,000,000 individuals attributable to stolen equipment and devices containing ePHI. Such equipment and devices were frequently described as being stolen during a burglary and included workstations, servers, laptops, external hard drives, backup devices, flash drives, smart phones, and medical devices. Regulated entities should ensure that they have proper physical safeguards, including Facility Access Controls, in place to deter and prevent unauthorized access.

The OCR provided an example of a monetary settlement of an OCR investigation in the amount of $3.5M, relating to, among other things, the theft of equipment from a covered entity’s facilities.

Among the requirements of the HIPAA Security Rule is the requirement for covered entities and their business associates to implement ongoing facility access controls – policies and procedures to limit physical access to the organization’s information systems and the facility or facilities in which such information systems are housed, while at the same time ensuring that those whose job functions require access to such systems are granted secure access. This is accomplished by implementing four addressable implementation specifications: (1) contingency operations, (2) facility security plan, (3) access control and validation procedures, and (4) maintenance records.

The OCR newsletter contains details about each of these specifications and provides links to additional resources.

Click Here to read the entire September 2024 Healthcare Law Update now!

If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Lani M. Dornfeld

CHPC, Member
Healthcare Law, Cannabis Industry

973.403.3136 · 973.618.5536 Fax

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare