OCR Cybersecurity Newsletter Highlights Importance of Facility Access Controls
9/30/2024
In its August 2024 Cybersecurity Newsletter, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, provided important information regarding facility access controls. According to the OCR,
The OCR provided an example of a monetary settlement of an OCR investigation in the amount of $3.5M, relating to, among other things, the theft of equipment from a covered entity’s facilities.
Among the requirements of the HIPAA Security Rule is the requirement for covered entities and their business associates to implement ongoing facility access controls – policies and procedures to limit physical access to the organization’s information systems and the facility or facilities in which such information systems are housed, while at the same time ensuring that those whose job functions require access to such systems are granted secure access. This is accomplished by implementing four addressable implementation specifications: (1) contingency operations, (2) facility security plan, (3) access control and validation procedures, and (4) maintenance records.