Organizations have flexibility, particularly with the addressable requirements, in how they implement these security protocols. These addressable concerns are particularly important in the COVID-19 era given the rise in the use of telehealth.
Explore This Issue
October 2021
When calculating fines related to a breach, HHS is required to take cybersecurity into consideration and also reduce the extent and length of an audit if the entity being investigated has met industry-standard best practices security requirements. HHS is not permitted to increase fines or the length of an audit when an entity is found to be out of compliance with recognized security practices, however.
“Recognized security practices” means standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology (NIST) Act, the Cybersecurity Act of 2015, and other programs, processes, or regulations that address cybersecurity now or in the future.
Starting earlier this year, HHS Office for Civil Rights investigators began routinely requesting information regarding a covered entity’s implementation of recognized security practices. Having such practices in place may be the key to avoiding hefty fines or penalties in the event of a breach.
Physical Access Protocols and Document Security
Another best practice is to ensure that physical security and document storage policies are up to date. To ensure that patient records are physically secure, organizations must ensure that their facilities are protected through office and warehouse entry control monitoring systems, cubicle and office security, and electronic device protocols.
Additionally, access validation systems (e.g., identification badges and scanned key cards) provide an additional layer of security to protect facilities from unwanted visitors. In the DHS HIPAA Security Information Series program on security standards and physical safeguards, a number of best practices are mentioned:
- Locked doors, signs warning of restricted areas, surveillance cameras, and alarms;
- Property controls, such as property control tags and engraving on equipment;
- Personnel controls, such as identification badges, visitor badges, and/or escorts for large offices; and
- Private security service or patrol for the facility.
Although some of the security measures above appear to be standard, such as locked doors, all are prone to decay and underuse. The best practice is to ensure that employees are routinely trained on the importance of carrying identification, locking doors, and remembering to validate individuals attempting to enter a company’s physical space.
Further, employees may be compelled to cheat some of these safeguards for ease, such as failing to lock documents securely between visits to the file room. The best practice is to enforce physical security measures commensurate with their importance and, as such, implement disciplinary policies for those who fail to adhere to company policies.