Potential clients often ask if our access control system complies with HIPAA standards when they are looking to to become fully HIPAA compliant. They are vaguely aware, from the requests of their lawyer, that they have to make their office secure by addressing both their network security and physical security.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act.

According to HIPAA standards, “The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

Your duty as a HIPAA compliant company is it to prevent unauthorized physical access to Protected Health Information (PHI).

So, how do you actually become HIPAA compliant? Here are the four standards set under the HIPAA Security Rules.

Facility Access Controls Workstation Use Workstation Security Devices and Media Controls

In addition to ensuring robust network security in the office through establishing firewalls, encrypted data, communication policies, background checks, secure servers, Two Factor Authentication (2FA) and all the other digital measures you need to be compliant with, physical security matters just as much.

HIPAA Standard: Facility Access Control

Here’s a typical scenario: Most companies usually get a key card (fob) system in place first. The downside? According to the requirements of the US HSS, most might not actually be complying with the standard.

Here is the original excerpt about the requirements in terms of access control by law:

Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

In brief, it mentions everything that is required from you to make your physical access and facility access HIPAA compliant. (If you're interested in the granular details of the standard, you can read the standards here). Most access control systems and offices might not be complying with the standards.

With keys you obviously can’t limit authorized access once you gave out the key. People can easily pass the keys to unauthorized personnel. The switch from keys to key cards is also particularly motivated by such security fears and risks.

In a dissertation by Seymour E. Goodman and Herbert S. Lin of the Committee on Improving Cybersecurity Research in the United States, they wrote:

Because the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one…

That’s why people traditionally used keycards to allow “authorized access”—keycard systems are meant to comply with the security measures and standards of the law. With smartphone access, you can use stronger, un-hackable credentials as an authorized way to access your facility.

Who says you have to use an access system, such as a key card system, that actually creates more trouble than usefulness? Other than the fact that it complies with the law.