Am I Required to Have an Alarm/Alarm System for My Facility Under the HIPAA Regulations?

Modified on Wed, 16 Jul at 1:56 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses whether having a facility alarm or alarm system is required under the HIPAA Security Rule.

What is the HIPAA Security Plan Requirement?

The HIPAA Security Rule requires covered entities and business associates to implement physical safeguards, to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).

One of the requirements of the Physical Safeguards rule is the facility access controls standard. This standard requires an organization to "Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."

The facility access controls standard contains four implementation specifications, which are methods, rules, or techniques prescribed by HHS for meeting the standard. The second of these implementation specifications is the facility security plan implementation specification, which requires organizations to "Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.” (45 CFR 164.310(a)(2)(ii))." 

The facility security plan specification is an addressable specification - meaning it must be adopted if reasonable and appropriate to do so. When considering the implementation of an addressable implementation specification, an entity must "Assess whether the implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information." If an entity concludes, after performing this assessment, that implementation of a specification is reasonable and appropriate, the entity must implement the specification.

What are Procedures to Safeguard a Facility and to Protect Its Equipment from Unauthorized Physical Access, Tampering, and Theft?

The Security Rule provides that, "In deciding which security measures to use, a covered entity or business associate must take into account the following factors:


(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information."

According to HHS guidance, some common controls to prevent unauthorized physical access, tampering, and theft that covered entities may want to consider include:

1. Locked doors, signs warning of restricted areas, surveillance cameras, and alarms.
2. Property controls such as property control tags, or engravings on equipment.
3. Personnel controls such as ID badges, visitor badges, and/or escorts for large offices.
4. Private security service or patrol for the facility.

If an entity takes into account the above four factors, and concludes that installing or maintaining alarms is a reasonable and appropriate safeguard, the entity may adopt an alarm system. HIPAA does not require that alarm systems be adopted, or that a particular type of alarm system be adopted. An entity should take into account the above four factors when deciding what kind of alarm system to implement.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article