What is the HIPAA Double Lock Rule?
Many people involved in HIPAA compliance talk about something called the “double lock rule.” When they are asked to explain what this means, these people will claim that HIPAA requires two layers of protection of PHI. In the case of physical PHI, for example, someone will tell you that the “double lock” rule requires that PHI be locked in a filing cabinet (layer #1), and, that the filing cabinet be kept in a locked room. The idea of a double lock rule appeals to common sense in many situations. However, the rule does not actually exist. The HIPAA regulations do not require a “double protection” of PHI in the manner described above. What the regulations do require is that an organization implement security measures that are reasonable and appropriate under the circumstances. In some circumstances, a double lock-type mechanism is reasonable and appropriate. In other circumstances, though, it is not. More about the double lock rule, and why it is a misnomer, is discussed below.
HIPAA Double Lock Rule and the HIPAA Privacy Rule
The HIPAA Privacy Rule contains an administrative requirement. Under this requirement, covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). There are two things a provider must do to ensure compliance with this requirement:
- The provider must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of the HIPAA Privacy Rule; and
- The provider must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
Notice how the phrase “HIPAA double lock rule” appears nowhere in this administrative requirement. This is not an accident.
When the Department of Health and Human Services created the administrative requirement (45 CFR 164.530c), it clarified what the provision means:
“We require covered entities to maintain safeguards adequate for their operations, but do not require that specific technologies be used to do so. Safeguards need not be expensive or high-tech to be effective. Sometimes, it is an adequate safeguard to put a lock on a door and only give the keys to those who need access… we do not require covered entities to guarantee the safety of protected health information against all assaults. This requirement is flexible and scalable to allow implementation of required safeguards at a reasonable cost.”
As this explanation makes clear, there is no “magic bullet” or HIPAA double lock safeguard that will either guarantee compliance or render an organization non-compliant. What is required is that a provider maintain an effective safeguard. “Effective” means “effective under the circumstances.” Providers are neither required to bankrupt themselves nor use any and all high-tech gadgetry available to be in compliance with the administrative requirement.
Instead of demanding a HIPAA double lock rule, HHS requires healthcare professionals to observe a rule of reason.
This means that an organization must use methods that are reasonable and appropriate, given the size and the complexity of their operations, to:
- Safeguard PHI from unauthorized intentional or unintentional use that is in violation of HIPAA; and
- Safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
Examples of safeguards that HHS has deemed to be reasonable include:
- Speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
- Avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality; and
- Isolating or locking file cabinets or records rooms.
HIPAA Double Lock Rule and the Minimum Necessary Standard
Regardless of what reasonable safeguards you implement, you should make sure that the measures comply with the minimum necessary standard. The minimum necessary standard requires that staff members only be given access to PHI to the extent necessary to perform their job duties. These job duties include patient care, billing, and healthcare operations. When developing safeguards to protect the Privacy Rule, providers should ensure that their workforce receives the least amount of access to PHI that is necessary to perform their job duties. Giving any additional access would increase the risk of unauthorized intentional or unintentional use.
