When the Department of Health and Human Services created the administrative requirement (45 CFR 164.530c), it clarified what the provision means:
“We require covered entities to maintain safeguards adequate for their operations, but do not require that specific technologies be used to do so. Safeguards need not be expensive or high-tech to be effective. Sometimes, it is an adequate safeguard to put a lock on a door and only give the keys to those who need access… we do not require covered entities to guarantee the safety of protected health information against all assaults. This requirement is flexible and scalable to allow implementation of required safeguards at a reasonable cost.”
As this explanation makes clear, there is no “magic bullet” or HIPAA double lock safeguard that will either guarantee compliance or render an organization non-compliant. What is required is that a provider maintain an effective safeguard. “Effective” means “effective under the circumstances.” Providers are neither required to bankrupt themselves nor use any and all high-tech gadgetry available to be in compliance with the administrative requirement.
Instead of demanding a HIPAA double lock rule, HHS requires healthcare professionals to observe a rule of reason.
This means that an organization must use methods that are reasonable and appropriate, given the size and the complexity of their operations, to:
Examples of safeguards that HHS has deemed to be reasonable include:
- Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
- Avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; and
- Isolating or locking file cabinets or records rooms.
HIPAA Double Lock Rule and the Minimum Necessary Standard
Regardless of what reasonable safeguards you implement, you should make sure that the measures comply with the minimum necessary standard. The minimum necessary standard requires that staff members only be given access to PHI to the extent necessary to perform their job duties. These job duties include patient care, billing, and healthcare operations. When developing safeguards to protect the Privacy Rule, providers should ensure that their workforce receives the least amount of access to PHI that is necessary to perform their job duties. Giving any additional access would increase the risk of unauthorized intentional or unintentional use.