Securing Medical Records

March 6, 2024

For locksmiths serving healthcare customers, maintaining safe, code-compliant door openings is only one part of the equation. Providing patient privacy by securing medical records is also part of the job. They must be well-versed in requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO) as well as building and life safety codes.

Originally HIPAA was introduced into law to reform insurance, not health care. HIPAA also enables privacy by establishing the individual's right to decide who, when, and how his or her medical records are disclosed.  Specific security concerns regarding HIPAA are: controlling access to medical records and accountability to ensure patient privacy.

The Health Insurance Portability and Accountability Act (HIPAA) lays out three rules for protecting patient health information: the Privacy Rule, the Security Rule and the Breach Notification Rule.

The HIPAA Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic. The Security Rule deals specifically with electronic recordkeeping and sharing.

HIPAA Rules and Regulations lay out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the HIPAA Privacy Rule identifies security standards, and for each standard, it names both required and addressable implementation specifications.

The HIPAA Rules and Regulations standards and specifications relating to locksmiths are as follows (there are far more requirements relating to training and oversight by medical staff):

  • Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (ePHI).  Access to ePHI must be restricted to only those employees need it to complete their job function.
  • The procedures must address access authorization, establishment, modification, and termination.
  • Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations under HIPAA rules.
  • Physical Safeguards should be in place to control physical access to online and paper medical records,
  • Access to hardware and software must be limited to properly authorized individuals. When that hardware and software is taken out of service, it must be disposed of properly to ensure that PHI is not compromised.
  • Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
  • If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.
  • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized if deemed appropriate and possible. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
  • Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.

On the cybersecurity front, rules govern the paperless sharing of patient records. For physical security, securing file cabinets, installing locks in cabinets, upgrading door locks are typical examples. Some non-typical considerations relate to access and surveillance systems.

The list of persons having access and their PIN falls into information that must be protected using HIPAA requirements. When persons no longer need access to areas, they are to be immediately removed from access, so the management of the access system must be regulated using HIPAA requirements.

When the locksmith installs these types of systems, it is better for a customer administrator to manage these systems, rather than the locksmith. If the locksmith stores or keeps recorded media, where and how it is stored might become a HIPAA issue.

The locksmith’s role will be to help develop appropriate key control processes, select high-quality hardware and help clients ask the right questions to meet the many requirements.

While many larger hospitals will have on-staff locksmiths, think of all the smaller doctor and dental offices in your community. They can be a great market for the commercial locksmith. Electronic keys, such as the Cyberlock and Medeco XT systems, provide a broad selection of housings and adaptations, including SFIC options. These many adaptations are quite helpful in small to medium sized facilities that are likely to have whatever hardware came with the building.

Ask the Right Questions

  • Did you rekey when a key or credential-holder moved or left?
  • Do you have signed records of each key?
  • Are your medical records in a secured room and cabinet?
  • Does the lock have an audit trail? (Depends on risk and threat level)
  • Are your computer network and files adequately protected against unauthorized use?
  • Is your staff trained on HIPAA, HITECH and TJC regulations and consequences?
  • Are your business partners and vendors familiar with the above regulations?
  • Do you have a plan in place should a data breach occur?

Hospitals also need JCAHO accreditation to meet Medicare and certification and licensure requirements. Accreditation is a condition of reimbursement. 

Most JCAHO standards are clear and direct. These include:

  • Rooms where patient or employee records are stored are to be protected with a storeroom function lock. File cabinets used for the same purpose must be lockable.
  • Nursing stations must use separate drawers or cabinets to store medical records, needles and syringes and emergency medications.
  • Refrigerators designated for drugs must be locked at all times and under surveillance. No food can be stored in these refrigerators.
  • Medical carts must be locked with no one is in attendance.
  • All doors are to be self-latching.
  • In pediatric wards locks can be raised to prevent children from leaving without notice.

For more information, visit