Locking Down HIPAA Compliance

Feb. 4, 2022
Protecting patient records is federal law and requires multiple layers of security.

Healthcare generates a massive amount of records, and protecting those records is an essential function of any healthcare facility because of the Health Insurance Portability and Accountability Act (HIPAA).

The act has received a fair amount of attention in the public eye over the past year, specifically what constitutes a violation and what doesn’t. What doesn’t: You being asked to volunteer your health information. What does: a healthcare facility allowing your medical records to be viewed by others.

How maintaining the privacy of a patient’s records is accomplished can vary from one facility to the next. HIPAA has no specific requirements that pertain to security, only that “policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft” are enacted. Those policies and procedures are left entirely up to the facility, and “any security measures” that allow the facility to comply are acceptable.

That means that security pros have to be on their toes when they work in the area of protecting healthcare records, says Tony Kasper, owner of Athens Door and Lock in Athens, Tennessee. Kasper has been an institutional locksmith for more than 25 years, including work at the Vanderbilt University and University of Tennessee hospitals.

“A lot of times as a locksmith, you need to talk about a procedure” when it comes to achieving HIPAA compliance. “You can have the best lock in the world on a door or on a cabinet, but if [people] don’t use it properly, you’re defeating the purpose of it.” And the facility is being put in possible violation of HIPAA.

Big Vs. Small

Having a secure record-keeping procedure is necessary to any healthcare facility. HIPAA sees no difference between a large hospital and a single-practice doctor’s office. Both places must protect patient records and could face severe penalties if they fail.

Of course, the requirements of how to secure records at those locations will differ because of the size of the building or office and the number of records that might be kept there. Plus, records at larger facilities are more likely to be stored digitally in addition to physical backups in files and file cabinets and, because of the sensitive nature of the records, kept on servers in the building rather than in the cloud.

This presents additional scenarios that have to be taken into consideration when it comes to providing security. For example, Erin Wilson, manager of influencer education at dormakaba, points out that record-storage rooms and computer server rooms typically are fire-rated, which means that modifications to doors to those rooms are limited by local life-safety codes. This, in turn, could limit potential solutions, particularly if adding electronics is involved.

“If the opening is fire-rated, you can’t just cut that frame to put an electric strike in,” she says.

Then, there are the number of people who might require access to such records. Obviously, out of practical necessity, a larger facility will want to allow more people to have access to patient records than a small facility. Plus, the records and the people who would access them might be located in different parts of a medical campus. This also applies to people who have access to records digitally as well as physically.

“You’re dealing with a myriad of different things,” Kasper says.

Fitting Solution

However, one thing that’s universal is that all healthcare facilities have a finite budget for security. Naturally, smaller facilities typically won’t have as much to spend as larger facilities.

“You can suggest a number of things to them to secure their records, but they’re dealing with what limited resources they have,” Kasper points out. The trick then is making sure that the solution works with the customer’s budget.

For smaller facilities, Kasper suggests starting with the actual file cabinets that hold patient records. Security pros should make sure the cabinets are fire-rated but also that the locks go beyond operating via a standard flat key. If an electronic lock or a high-security keyway is out of the budget realm, he recommends a tubular keyway, because not every locksmith, to say nothing of hardware stores, will be able to make a tubular key for someone. Of course, that key, no matter the type, still has to be protected, and security pros have to make sure awareness of that is part of the transaction.

“A lot of times, what I find is they’ll take the key — and it could be a tubular key or even a high-security key — put it on a key ring and just put it right in the [desk] drawer, [and] the drawer won’t be locked,” Kasper says. In such a scenario, anyone could use the key and gain access to a cabinet and, thus, a patient’s records. “That’s defeating the purpose” of your locking system.

This highlights what Benjamin Williams, director of product management at ASSA ABLOY Electronic Security Hardware, calls “concentric layers” of security to protect healthcare records. In other words, protecting healthcare records requires multiple layers of security, and that goes for electronic access control (EAC) as well as mechanical locks.

It isn’t enough simply to control access to patient records to certain people during certain times of the day, he says. You also have to lock the rooms that hold the records, be they in files or server cabinets, and finally the cabinets themselves. And you have to make sure you have secure credentials.

“[Protecting records] is very much part of a holistic security plan” for any healthcare facility, Williams says.

Going Electronic

As healthcare facilities become larger and the task of protecting records more intricate, it seems natural to move into electronic solutions, particularly EAC. EAC brings several features to bear that mechanical systems can’t, including audit trail capability that creates a record of who accessed a lock when — and, perhaps more important, when access attempts were unsuccessful.

Another important benefit of electronics is convenience. Matt Welty, vice president, Americas of Codelocks, says no matter the solution to protect healthcare records, it should do two things: It has to work, and it has to be convenient enough to use so it IS used and, thus, proper HIPAA compliance procedures are followed.

For example, the most secure cabinet lock can be defeated easily by an employee who finds it inconvenient to unlock it every time they have to access the cabinet if they must do so multiple times during the day, he says. “The more difficult or cryptic the access to the records is, the less likely it is that they're going to comply with that. They [think], ‘I’ll leave the door open, so I’ll come back in 10 minutes and get something else out.’” In the meantime, the records are left unprotected.

Kasper, who calls himself an “old-school locksmith,” sees the advantages of electronic locks and EAC in the right setting. He says the ideal scenario in a large facility’s records room would be a fail-secure EAC lock for entrance and a separate egress door that can’t be opened from the outside, “because not only as a locksmith do you have to consider security, you also have to consider safety.”

The key before doing anything, however, is talking with the customer and finding out their requirements as well as budget, Kasper adds. He calls it a “checklist” of ground to cover in the service of “what can I do to make this lock, cabinet door, whatever it is, more secure?”

And then you have to communicate back to the customer in words they understand. “A lot of times you can lose a customer when you start talking technical,” Kasper says. When putting together a security report that lays out upgrades and other solutions, he says he never uses terms such as “fail-secure,” because they’re meaningless to the layperson.

“You put it to where they understand it, and then they say, ‘Oh yeah. Let’s get this done.’”

Depending on the scenario and budget, here are a few solutions that can help facilities to achieve HIPAA compliance:

Codelocks KL1100 RFID, CL5500 Series

The KL1100 RFID is part of Codelocks’ Kitlock series of cabinet locks; the CL5500 Series is a smart door lock. Both are battery-powered locks that can be used to make healthcare facilities comply with the spirit of HIPAA. But Welty adds that both satisfy the ease-of-use requirement necessary to allow employees to adhere to HIPAA compliance, because they use the same prox credentials.

“The users for that [records] room could be programmed into that lock, and then, inside that room, their prox could give them access to all the cabinets or just some of the cabinets where the information is stored,” he says. Both provide audit trail capability, the door lock remotely via the K3 Connect app.

Further, the KL1100 allows for opening via card, sticker or bracelet, which makes for an easier and quicker method of accessing than a PIN or even a smartphone, Welty adds.

The CL5500 Series includes tubular latch, mortise and panic trim options.

More info: www.codelocks.us

CompX 150 Series, 200/300 Series

CompX’s range of eLock cabinet locks have convenience in mind. In addition to being easy to retrofit, the locks also have motorized latching, which allows for automatic relock upon closing.

Mitch Mlynarczyk, CompX vice president of technology and sales, says the most important feature of the locks with respect to convenience, however, is that all three can use existing credentials when installed as part of an upgrade.

“Healthcare’s No. 1 want as far as features was the ability to use existing credentials,” he says when discussing HIPAA. “Yes, audit trails and providing security, that’s a given, but their No. 1 want was the convenience of using existing credentials.”

All three locks provide audit trail, but the big difference is in the number and method. The 150 has a 1,500-event audit trail. The 200/300 have 15,000, and the 300 has Wi-Fi capability, so the audit trail can be entered into an EAC system remotely. (Wi-Fi capability also allows for low-battery and door-ajar alerts.)

More info: www.compxelock.com

BEST Switch Tech

The Switch Tech smart cylinder by dormakaba division BEST is aimed at assisting with HIPAA compliance, Wilson says, because it accomplishes all of the goals of a standard EAC system. It can be used on cabinets and doors, and it provides the convenience of using the same mobile credential on both. It also provides remote audit trail capability of up to 3,200 events.

However, it also brings this to a records room door without having to worry about how the upgrade might affect the door’s fire rating, because it doesn’t change the door, she adds. “You just change out the small-format core, put the Switch Tech in, and you’re good to go.”

The battery-powered Switch Tech can be retrofit into almost any small-format interchangeable core in minutes and integrated with existing access control software. It can be accessed by fob or smartphone app.

More info: timeforaswitch.com

HES K Series, KS Series

The K and KS series of cabinet locks by ASSA ABLOY company HES are aimed at securing patient records, whether physical or digital. The K Series is meant for standard cabinets; the KS Series for server cabinets.

Williams points out that the KS Series is notable for its range of options, starting with a mechanical swing-handle option (KSM) that can include a small-format interchangeable core and even a Medeco X4 electromechanical core. The KS100 provides wireless access control through ASSA ABLOY’s Aperio technology.

At the top are the hard-wired KS200 and KS210. The KS210 is a recent addition to the lineup. Unlike the standard Wiegand KS200, the KS210 incorporates RS-485 Open Supervised Device Protocol (OSDP) wired communication. OSDP is a new standard issued by the Security Industry Association to allow for improved device interoperability and stronger (AES128) encryption than Wiegand. Williams says the KS210 is the first of its kind in the market. The KS210 also allows for Bluetooth mobile credentials.

The K Series includes wireless Aperio (K100) and wired Wiegand (K200) versions.

More info: www.assaabloyesh.com

SALTO XS4 Locker, Neo

Don’t let the name fool you: SALTO’s XS4 Locker lock isn’t just for lockers but a HIPAA solution for file cabinets, says Paul Cannon, vertical business lead, healthcare.

“We find these are very popular in the cabinet areas where they need that security for those HIPAA laws,” he says.

The battery-powered lock can be accessed via card, fob, wristband or smartphone and has audit trail and remote access control capability.

The Neo is SALTO’s smart cylinder, which comes in a variety of options for different applications. One of them is the half cylinder aimed at computer server racks. Cannon says the cylinder is designed to fit most swing-handle latches and bring to server cabinets access control and the same credential flexibility as the XS4 Locker lock.

“I always bring up the point, ‘OK, you have 20 server racks inside of that room. When someone gains access in there, do they have free rein to every single rack, or are each one of those auditable,’” he says. “They just say, ‘Yeah. We’re good, because we have the perimeter doors locked, and we know when someone goes in there,’ but do they really know?”

More info: saltosystems.com/en-us