Patient data are being both stored & disseminated through online network channels, email & other telecommunications modes. As a result, access control, encryption & automatic logoff are particularly important.
“Recognized security practices” means standards, guidelines, best practices, methodologies, procedures and processes developed under the National Institute of Standards and Technology (NIST) Act, the Cybersecurity Act of 2015 and other programs, processes or regulations that address cybersecurity now or in the future.
Starting earlier this year, OCR investigators routinely request information regarding a covered entity’s implementation of recognized security practices. Have such practices in place may be key to avoiding hefty fines or penalties in the event of a breach.
2) Adequate Physical Access Protocols & Document Security
Another best practice is to ensure that physical security and document storage policies are up to date. To ensure patient records are physically secure, organizations must ensure their facilities are protected through office and warehouse entry control monitoring systems, cubicle and office security, and electronic device protocols.
Additionally, access validation systems (e.g., identification badges and scanned key cards) provide an additional layer of security to protect facilities from unwanted visitors. In the HHS HIPAA Security Series program on security standards and physical safeguards, a number of best practices are mentioned:1
- Locked doors, signs warning of restricted areas, surveillance cameras, alarms;
- Property controls, such as property control tags, engraving on equipment;
- Personnel controls, such as identification badges, visitor badges and/or escorts for large offices; and
- Private security service or patrol for the facility.
Although some of the security measures above appear to be standard, such as locked doors, all of the above
are prone to decay and underutilization. The best practice is to ensure that employees are routinely trained on the importance of carrying identification, locking doors and remembering to validate individuals attempting to enter a company’s physical space.
Further, employees may be compelled to cheat some of these safeguards for ease, such as failing to lock documents securely between visits to the file room. The best practice is to enforce physical security measures commensurate with their importance and, as such, implement disciplinary policies in connection to those who fail to adhere to company policies.
Above all else, the COVID-19 era is a time for organizations to retrain employees on the importance of technical and physical security standards and to implement policies if they are inadequate or missing altogether.
Finally, it is important to note that healthcare organizations comprise individuals with disparate training and experience, some of whom do not have technical certifications or expertise in maintaining security and confidentiality of PHI. As a result, it is particularly important for organizations to provide education and continued support. An organization whose employees have an understanding of the types of threats that cybersecurity and physical security protect against will foster an environment of vigilance and bolster its defense.