Healthcare Regulations Provide Opportunity

Feb. 3, 2020
When you connect the dots between the huge I-Core market and plug-in I-Core electronics, you get an amazing healthcare market opportunity.

Your hospital admission generates about $1,200 in regulatory paperwork.[1] Extensive federal and state regulations require appropriate physical and data security, and lots of documentation. Much of this paperwork is required to document key and access control, and to secure drugs and patient records.

Markets include hospitals, clinics, pharmacies, doctor and dentist offices, nursing or care providers, and anyone handling or processing patient data. Although the 629 individual regulatory requirements[2] define basic security objectives, details and implementation can be appropriate to the facility, threat level, and foreseeable events. Essentially, protecting drugs and patient data means keeping doors, files, cabinets, and carts locked, and controlling access.

In this article we’ll discuss regulatory environment, questions to ask, and some of the security solutions.

Regulatory Environment

A number of informative articles have appeared in Locksmith Ledger in recent years.  Several of these are worth your time if you do work for the healthcare industry.

An article titled “Rules of the Road” by Gale Johnson in the March 2011 Locksmith Ledger, (https://www.locksmithledger.com/keys-tools/article/10237343/rules-of-the-road) contains an excellent interview with the head locksmith at a major hospital facility.  Additional useful background is shared in the May 2007 Locksmith Ledger article: “Complying With HIPAA and JCAHO Requirements.” (https://www.locksmithledger.com/locks/article/10229684/complying-with-hipaa-and-jcaho-requirements)  The article by Jerry Levine in the November 2012 Locksmith Ledger titled: “Hospital Security: Rules, Regulations, Awareness and Acts (https://www.locksmithledger.com/home/article/10796646/hospital-securty-rules-regulations-awareness-and-acts),” discusses many of the regulatory hurdles encountered.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and The Joint Commission (TJC) (formerly JCAHO) provide most of the regulatory direction for healthcare. The federal regulations are contained in the 65-page portion of the CFR Title 45, Section 160.103. HIPAA controls how providers acquire, transmit, store, and disseminate patient data. A briefing paper on “HIPAA Basics For Providers: Privacy, Security, And Breach Notification Rules” covers the basic issues.

In addition to normal building and fire codes, HIPAA holds healthcare providers responsible for the protection of patient information. Physical and electronic records and patient confidentiality are paramount. Data breaches are taken seriously.

It appears that HIPAA laws originally were promoted to prevent insurance companies from denying coverage to applicants with high treatment costs like acquired immune deficiency and other issues. The laws now focus more on data protection and confidentiality. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 specifies fines that range from $100 up to $1.5 million for information leaks. These regulations are administered by CMS for HHS.

TJC provides accreditation for more than 21,000 hospitals and health care organizations. TJC accreditation can be an important condition for Medicare and Medicaid reimbursements from CMS and is often critical to economic survival of a hospital.

Security Requirements generally concern protection of patients and personnel, patient data, and drugs. The actual process can range from locked doors, drawers and cabinets, with end-to-end key control, up to sophisticated EAC, CCTV, cyber defenses and guard staff. Your role will be to help develop appropriate key control processes, select high-quality hardware and help clients ask the right questions to meet the many requirements.

Here are a few questions to ask.[3]

  • Did you rekey when a key or credential-holder moved or left?
  • Do you have signed records of each key?
  • Are your medical records in a secured room and cabinet?
  • Does the lock have an audit trail? (Depends on risk and threat level)
  • Are your computer network and files adequately protected against unauthorized use?
  • Is your staff trained on HIPAA, HITECH and TJC regulations and consequences?
  • Are your business partners and vendors familiar with the above regulations?
  • Do you have a plan in place should a data breach occur?
  • These questions will help the user to review his or her plan and expose areas that need improved security. Help the customer solve his concerns and you’ll become a trusted partner.

Markets

The healthcare industry has several distinct markets, each having slightly different needs and levels of regulation intensity. All of these require serious key and credential control.

  • Clinics, urgent-care facilities, doctor or dental offices, specialty testing, labs, and other small offices are often located in multi-tenant buildings that tend to have a minimal security envelope. Internal key control, cabinet and door locks, file and electronic security, and employee training are areas they can control. It's critical that rooms and files with medical records not be on the building master. 
  • Pharmacies tend to be better trained and very aware of security concerns. Access to patient information, drug cabinets and records are jealously guarded. They may need frequent key changes due to personnel turnover. The larger pharmacies tend to be national chains that may have a local employee or supplier who handles keying. Ask. You might become the supplier.
  • PACs. These are post-acute-care facilities, better known as rehab, assisted living, or skilled nursing. PACs may be stand-alone businesses or affiliated with a national chain. They tend to have tight budgets, but are responsible for HIPAA and HITECH patient data protection, as well as a plethora of state regulations. These facilities need secure patient records, key control, and drug protection. PACs are often at risk due to staff turnover, training needs, and key control issues. Locks really need to be self-latching. I’ve often seen drug cabinet or records room deadbolts just left unlocked for staff convenience.
  • Data Handlers manage or process patient data, claims, or billing. These facilities tend to be computer-based operations with a fairly intense level of security awareness. In many cases, that awareness is focused on electronic penetration, with less awareness of door hardware or keying issues. They tend to have locked server rooms, server cages and EAC at entrance and important interior doors. These seem to be where the massive security breaches can occur. We’ve often seen expensive Electronic Access Control on door assemblies that are easily compromised. Assume nothing in a place like this. Just ask questions and listen.
  • Hospitals are of course, the big players in health care. Many will have hundreds and sometimes thousands of doors. They will generally have a full-time internal lock shops with experienced professionals. If you can get to know these people, there is likely to be some work available for your shop. Confidentiality is critical.

Ligature Resistant hardware is commonly used in psychiatric and incarceration facilities where suicide risk is a concern. These locks and hinges are sloped or rounded to restrict the ability to attach a cord, belt or strap. You may not often encounter Ligature Resistant needs, but it’s useful to ask when visiting psychiatric or detention facilities.

Antimicrobial coatings are increasingly used to inhibit the transmission of disease. This is an especially sensitive area in hospitals where MRSA (staph infections) are a high concern. These coatings are available for high-touch locks and exit devices from major hardware suppliers. The antimicrobial coating inhibits bacterial growth by interrupting bacterial cell multiplication. Most of the interest so far, has been within hospitals.

Key and Credential Control is an important component of HIPAA HITECH and JCH guidelines. You can provide significant help to small and medium sized facilities. Key control includes the acquisition, storage, documentation, distribution, recovery and changes of keys or credentials. Since the cabinets, files, carts and storage rooms are under constant observation, documentation and rapid key, credential or code changes are primary HIPAA concerns. This is the reason for I-Core popularity in hospitals and larger institutions. Remember this: patented keys are just the tip of the key control iceberg.

Locking Devices are the fourth physical security issue. The primary hardware concern is the protection of patients, staff, pharmaceuticals and data.  For the lock professional, this begins with exit devices, interior secure zones, cabinets, files, drug carts and data.

TJC guidelines require that doors to secured areas should be self-closing and latching (usually storeroom function). Although the Federal HIPAA regulations don't specifically require self-closing and latching, the issue would quickly fall under the category of a “foreseeable” liability. Electronic and paper files, as well as drug cabinets, need to be protected.

Locks and keys will need to be changed whenever someone leaves a given position with access to patient records or drugs. The vast number of keyed doors in hospitals and larger facilities tend to use Interchangeable Cores due to the low maintenance cost and rapid change capability. EAC with audit trails and fast access changes are becoming increasingly popular as costs drop and product options increase.

When you connect the dots between the huge I-Core market and the plug-in I-Core electronics, you get an amazing healthcare market opportunity.

Electronic keys, such as the Cyberlock and Medeco XT systems, provide a broad selection of housings and adaptations, including SFIC options. These many adaptations are quite helpful in small to medium sized facilities that are likely to have whatever hardware came with the building.

The new BEST SwitchCore uses low cost smart phone mobile credentials or Bluetooth fobs for SFIC locks. This opens up a huge electronic market for the hundred million SFIC equipped locks used in the larger facilities. These secure Bluetooth Low Energy I-Cores provide a high level of accountability and rapid user changes for medical carts, drug cabinets, secure rooms, and server cages. 

In recent years, several stand-alone electronic drawer and cart locks have been developed for drug security.  Generally, these use popular keypad or RFID card reader protocols. When exploring options for a medical facility or doctor’s office, be sure to check what card technology they currently use and plans for the future.

You don’t have to be the expert on HIPAA, HITECH, TJC or state requirements, but hopefully grasp the primary issues and threats your healthcare customers face.  Below we’ve listed many of the cabinet, drawer and cart locking suppliers.

BEST: www.bestaccess.com

CodeLocks: www.codelocks.com

CompX: www.stealthlock.com

Cyberlock: www.cyberlock.com

FJM: www.fjmsecurity.com

HES: www.assaabloyesh.com

Lockey: www.lockeyusa.com

Lowe & Fletcher: www.loweandfletcherinc.com

Medeco: www.Medeco.com

Medixsafe: www.medixsafe.com

Securitech: www.securitech.com

Schlage: www.schlage.com

SouthCo: www.southco.com

Cameron Sharpe, CPP-Life Certified, worked 30-years in the commercial lock and electronic access industry. He advised many institutional, military, industrial, and utility organizations on key control processes. [email protected]  

[1] Regulatory Overload Report: American Hospital Association.

[2] IBID.

[3] https://us.allegion.com/en/home/markets/healthcare.html HIPPA.

About the Author

Cameron Sharpe

Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access industry. Contact him at [email protected].