Complying With HIPAA and JCAHO Requirements
Specific security concerns are controlled access to specialized areas, supply rooms and medical carts, especially to control the access to medications, drugs, syringes, and needles.
By Rod Oden
While adhering to the usual group of local, state, and federal codes, locksmiths who work in or service hospitals, medical clinics and healthcare providers must also be aware of the additional requirements their healthcare customer must follow. In particular, hospital locksmiths should familiarize themselves with requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO).
Health Insurance Portability and Accountability Act of 1996
HIPAA is a federal law that allows persons to immediately qualify for comparable health insurance coverage when they change jobs. It was enacted to cover the ability to move to another employer and be certain that insurance will not be denied. HIPAA also enables privacy by establishing the individual's right to decide who, when, and how any information about him or herself is disclosed; and confidentiality by obligating another to maintain the person's privacy.
The organization that has jurisdiction over HIPAA is the Department of Health and Human Services (HHS). The department has the authority to mandate standards relating to the electronic transfer of health care data. It specifies what medical and administrative code sets should be used when transferring information. Through HIPAA, it requires the use of national identification systems for health care patients, providers, payers (or plans), and employers.
The department is responsible for specifying the types of measures required to protect the security and privacy of personally identifiable healthcare information.
Originally HIPAA was introduced into law to reform insurance, not health care.
The organization seeks to create a paperless standard in which patient information is digitally stored and shared electronically among health organizations. Although it strongly recommends it, at this time it does not require the use of encryption when storing or transmitting patient information.
Protected Health Information (PHI) and PHI that is electronically transferred (ePHI) are terms that are used frequently when talking about HIPAA standards. PHI refers to personal patient information that can be used to identify the patient, sometimes even inadvertently. PHI includes, but is not limited to, the patient's name, address, telephone number, age, diagnosis, surgery, date of procedure, and medications.
The goal of HIPAA is to facilitate a uniform paperless standard by 2015. Its current posture relies on: getting the standards out to all those concerned; and self-compliance of the regulations.
There are both civil and criminal penalties associated with NOT following the HIPAA guidelines and releasing patient information. The penalties vary based on if the information was inadvertently or deliberately released, as well as the type of information released.
Specific security concerns regarding HIPAA are: controlling access to medical records and accountability to ensure patient privacy.
Regarding direct fines and citations, hospitals (especially) pay more attention to another set of standards…
Joint Commission on Accreditation of Healthcare Organizations
The Centers for Medicaid & Medicare Services (CMS) governs all activity relating to the nation's Medicare and Medicaid programs. All healthcare organizations that accept Medicare and Medicaid payments are required to comply with federal standards called “Conditions of Participation” (COPs).
HHS (see HIPAA above) also uses COPs regarding HIPAA standards.
Since 1965, CMS has empowered JCAHO (pronounced “jay-co”) to accredit and enforce COP compliance. JCAHO evaluates and accredits more than 18,000 healthcare organizations and programs.
Hospitals aggressively seek JCAHO accreditation to meet Medicare and certification and licensure requirements. Accreditation is a condition of reimbursement. Accreditation also reduces liability insurance and other premiums.
JCAHO surveys hospitals annually. Failure to achieve accreditation often leads to fines or accreditation suspension. JCAHO guidelines are numerous and cover all aspects of proper healthcare, including security.
JCAHO requirements are intended to ensure a safe and secure environment and are independent of other local, state, and federal requirements that also cover safety and security (i.e. Uniform Building Code).
JCAHO does require that all NFPA 101 codes be applied, along with their additional requirements.
JCAHO requirements include, but are not limited to: developing a security and emergency management plan; conducting annual risk assessments that evaluate potential adverse environmental conditions that affect the security of patients, staff, and visitors; and using risk analysis to implement procedures and controls to achieve a reduction to the potential for adverse impact on security.
Additional physical security requirements include identifying patients, staff, and visitors entering the facility; controlling traffic into and out of security sensitive areas, as determined by the organization; and mitigating violence in emergency rooms, departments, or other locations.
JCAHO also requires hospitals to provide for education and training to staff, licensed practitioners, and volunteers, pertaining to their performance and responsibilities within their environment.
Specific security concerns regarding JCAHO are controlled access to specialized areas; supply rooms; and medical carts, especially to control the access to medications, drugs, syringes, and needles.
Areas affected by HIPAA and JCAHO
HIPAA focuses on privacy and confidentiality. Wherever medical records are exposed or stored, HIPAA has a concern. Securing file cabinets, installing locks in cabinets, upgrading door locks are typical examples.
Some non-typical considerations relate to access and surveillance systems.
The list of persons having access and their PIN numbers falls into information that must be protected using HIPAA requirements. When persons no longer need access to areas, they are to be immediately removed from access, so the management of the access system must be regulated using HIPAA requirements.
Where surveillance systems are used, if the video is recorded, the storage and exposure to the video might come under HIPAA requirements.
When the locksmith installs these types of systems, it is better that a customer administrator manage these systems, rather than the locksmith. If the locksmith stores or keeps recorded media, where and how it is stored might become a HIPAA issue.
Areas affected by JCAHO standards can be pharmacies; surgery wards; administrative offices; kitchens and food service areas; places where patient and employee records are stored; places where narcotics and medications are stored; and nursing stations.
Most JCAHO standards are clear and direct. These include:
• Rooms where patient or employee records are stored are to be protected with a storeroom function lock. File cabinets used for the same purpose must be lockable.
• Nursing stations must use separate drawers or cabinets to store medical records, needles and syringes and emergency medications.
• Refrigerators designated for drugs must be locked at all times and under surveillance. No food can be stored in these refrigerators.
• Medical carts must be locked with no one is in attendance.
• All doors are to be self-latching.
• In pediatric wards locks can be raised to prevent children from leaving without notice.
Some requirements concerning “security-sensitive” or controlled areas are challenging to setup as JCAHO has strict requirements relating to controlling “access to” and “egress” from these areas, while prevailing life safety codes demand immediate egress from the same areas. JCAHO does require compliance of NFPA 101 Life Safety Code (LSC).
In areas that must be both JCAHO and LSC compliant, there are several areas within LSC that deal with exceptions to immediate egress in healthcare environments:
An exception in LSC 188.8.131.52.4 permits the locking of doors where there is a clinical need. “Door locking arrangements shall be permitted in health care occupancies or portions of health care occupancies where the clinical needs of the patients, require special security measures for their safety, provided staff can readily unlock doors at all times.”
In LSC 184.108.40.206.4, certain circumstances will allow a delayed-egress out of a security-sensitive area. “Delayed egress locks complying with 220.127.116.11.1 shall be permitted, provided not more than one such device is located in any egress path.” Note: Building must be protected throughout with a fire detection system or be fully-sprinklered. Such doors must unlock upon activation of one of the following: “the sprinkler system, any heat detector, not more than two smoke detectors, loss of power controlling the locks, or an irreversible process within 15 seconds (30 sec. w/ AHJ approval) of pushing the release device.”
It is possible to set up a door (in this area) that can be opened by remote-control (key fob), providing the area is staffed all the time. This is stated in LSC 18.104.22.168.5. “Doors located in the means of egress that are permitted to be locked under the provisions of this chapter shall have adequate provisions made for the rapid removal of occupants by such a reliable means as the remote control of locks, by keying all locks to keys carried by staff at all times or by other reliable means available to staff at all times. Only one such locking device shall be permitted on each door.”
Additionally, security-sensitive areas can be “compartmentalized” to take advantage of another powerful exception contained in LSC 22.214.171.124.3. “For purposes of Section 7-2, a building shall be considered occupied at any time it is open for general occupancy, open to the public, or at any other time it is occupied by more than 10 persons.”
If the “compartmentalized” area has been scaled down so that the occupancy load is less than 10 persons, the door can feature a deadbolt or other auxiliary lock.
The point is that all areas should be carefully evaluated when they have been declared a “security-sensitive” area.
The best policy is to review all locations within the facility and limit (whenever possible) the number of “security-sensitive” areas. In this manner controversy between JCAHO and LSC can be reduced.
Remember that healthcare facilities and hospitals have ongoing matters regarding these requirements, life safety codes and fire codes. They will continually be working with the local AHJ (Authority Having Jurisdiction). When in doubt, talk to their AHJ about any concerns or applications regarding controlled areas.
Installing locks in HIPAA and JCAHO areas
A HIPAA concern is that medical records rooms are always secured, accessible only by persons needing access. Door locks that protect these areas must always be lockable from the exterior side. The door will be specified with a storeroom function. Door closers are appropriate to guarantee the door is self-latching.
JCAHO requires most locking hardware to be self-latching. In Figure 1, cabinet doors in a nurse's station are going to be fitted with self-latching locks, as each cabinet has the potential of storing drugs and medicines. The active leaf of each cabinet is fitted with an Olympus mortise cabinet lock. The inactive leaf will be secured from the inside with a latch mechanism.
Note that the cabinet locks can accommodate an interchangeable core for quick rekey. In JCAHO environments, locks must be routinely rekeyed as access to the areas change.
Self-latching is important as JCAHO requires ongoing inspections of the areas relating to the status of security. When the performance of locking hardware is routinely checked, visual inspections (closed cabinet doors) can indicate that areas are secured.
The access to refrigerators that store drugs, syringes, and needles must be limited.
Comp-X builds an electronic lock for this purpose. Figure 2 shows the electronic lock on the refrigerator door and Figure 3 shows how it secures the door to the frame. The Comp-X lock can be ordered to work with a combination and/or a proximity card.
Medical carts are also a focus as they often contain drugs, syringes, and needles. In Figure 4, another Comp-X electronic lock has been retrofitted allowing a nurse to access the “meds” drawer by entering a pin number. The cart could have been configured (see Figure 5) with a different model lock that features a proximity reader that would allow the drawer to be accessed by proximity badges.
No longer are the days where a decision is made as to whether it is a good time to rekey. JCAHO requires locks to be rekeyed when a person or persons having access to a designated controlled area leave. JCAHO routinely inspects areas and this is a common infraction that can lead to the revocation of certification.
HIPAA requires monitoring of who has access and when in regards to patient information.
Both JCAHO and HIPAA requirements have created a demand for locks that can be easily rekeyed while tracking all access.
The migration to electronic locks
It is critical that healthcare facilities that accept Medicare and Medicaid payments maintain JCAHO certification. These facilities cannot afford failed inspections due to a door that was not self-latching, or locks that were not rekeyed in a timely manner.
Ideally, a proximity card would be made to access all controlled areas (door locks, cabinets and drawers, padlocks, etc.), but the cost and confinement to installation space make that impossible.
Electronic locks that can be easily retrofitted in all types of controlled areas and the electronic keys that monitor access are the means to satisfy the requirements.
Initially these locks (and keys) are expensive but the cost to upgrade is quickly offset as the cost to rekey is dramatically lowered.
An additional motivation to upgrade to electronic locks is to obtain complete accountability regarding access to controlled areas.
Figure 6 is an example of the data available from the use of Videx electronic keys.
Several companies offer electronic keys and lock cylinders that retrofit door locks. Videx is unique as they offer lock cylinders and cores that can fit into just about every type of locking device. They also offer their own custom configurations.
Figure 07 shows a medicine cabinet protected at the bottom with a Videx electronic lock. The existing cam lock was removed and replaced with the electronic version in Figure 8. This is a good example of how easily electronic access can be facilitated.
An added advantage using these types of retrofits is that the electronic locks can be easily recovered when the cabinet is no longer controlled.
Controlled areas within the healthcare facility may be secured with padlocks. Converting these areas is normally problematic as it requires reconfiguring the padlock and hasp mechanism with some kind of electronic bolt apparatus.
Videx offers both electronic lock cylinders that can retrofit into commercial padlocks and their own brand of commercial padlock (see Figure 10).
To address many of the issues relating to padlocks: weather-proofing and environmental exposure, multiple sizes in shackles, and differences in the hasp arrangement, Videx has reinvented the padlock. All components are made from stainless steel and instead of a shackle,. there is a flexible cable.
This padlock (see Figure 11) is ideal for JCAHO/HIPAA applications.
It is common in institutional environments when padlocks (that can be opened with regular keys) are issued that they mysteriously “disappear.” This phenomenon is due to the fact that the padlock with keys can be used elsewhere outside of the facility.
Electronic equivalents can only be opened by electronic keys. The operability of electronic keys can change from day-to-day. Therefore expensive electronic padlocks are less likely to disappear because they are rendered useless without keys.
For those applications where an electric lock, deadbolt, latch, or strike is called for, Videx has a port that works with electronic keys and a controller that works with the port to trigger an authorize “request to exit” or “request to access.”
Availability of electric locking mechanisms
Many applications in the healthcare facility require custom electric locking or latching mechanisms.
A typical example might be a secured paper container used to collect discarded patient information. The drop slot might be controlled by an electric lock and it might be in constant use. A standard-duty cabinet, cam, or drawer lock would not work because of the constant use.
There are different types of electric (locking or latching) devices for every type of application.
The heavy-duty HES model 660 electric cabinet lock is rated for 1,000,000 duty cycles and 1000 pounds of holding force. The 660 is also flexible as it can be set up for sliding and swinging doors.
The RCI (Rutherford Controls International) Model 3510 electric cabinet lock is smaller in size and can therefore fit into tighter applications. The holding force is 200 pounds and it is rated for 500,000 cycles. For more holding force, there is the RCI 3512. The holding force is 320 pounds and it is rated for 500,000 cycles.
Securitron has an industrial cabinet lock, Model SCL-24. It is rated at 600 pounds of holding force. Securitron's MagnaCare warranty program virtually guarantees most of the products they sell for the lifetime of the lock's service.
All of these locks provide the locksmith with a lot of options when it comes to developing applications used in JCAHO/HIPAA controlled areas.
Genetic Information Nondiscrimination Act of 2007
The fact that electronic locks are proliferating within healthcare facilities is more than inevitable; new legislation this year could require stronger more restrictive requirements.
GINA is a forward-thinking bill that would prohibit companies from using the results of genetic testing when hiring and firing.
At this time medical researchers are “hobbled” as to the task of collecting the necessary genetic information to move their projects along. Individual volunteers are hesitant to participate as information collected has the potential of being disclosed in the future.
Genetic information is invaluable as it would give employers the ability to “weed” out those persons who are predisposed for diseases and ailments that would increase medical premiums or result in future disabilities.
It is almost certain that passage of this bill (and it is expected to do so) will require healthcare facilities to further raise the bar regarding the protection of patient information at least to the level of protection mentioned in this article.
Figure 1. Self-latching cabinet locks
Figure 2. An electronic lock secures a refrigerator
Figure 3. How the locking plate is mounted
Figure 4. Medical cart with an electronic lock
Figure 5. Comp-X eLock with proximity reader
Figure 6. Videx access records
Figure 7. Medicine cabinet with lock at bottom
Figure 8. Videx cam lock
Figure 9. An electronic mortise cabinet lock
Figure 10. Electronic padlock
Figure 11. Videx original padlock
Figure 12. Electronic controller for electric locks
Figure 13. HES 660 with 1000 lbs holding force
Figure 14. RCI 3510 with 200 lbs holding force
Figure 15. RCI 3512 with 320 lbs holding force
Figure 16. Securitron's SCL-24 industrial cabinet lock