Hey Compliance Warriors!

Occasionally I get a question about the double-locking rule that HR consultants and trainers often recommend or even say is required by law. Here is a recent question and the response I provided after doing some research on the matter. Enjoy!

QUESTION: I’ve seen conflicting information about how to properly store PHI and I’m wondering if it’s a requirement to follow the double-lock rule? Or can we just ensure that proper safeguards are in place to ensure PHI is protected?

This is text from an online resource that says the double-lock rule is not true and this is what’s actually required:

The provider must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of the HIPAA Privacy Rule; and
The provider must reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

ANSWER: You are correct. The DL rule is not part of the HIPAA statute and we should also note that HIPAA generally does not cover employee records kept by non-medical employers. There are other precedents for the rule, however. For one, a 2-step security process has become a sort of gold standard to prove you are taking measures at a “reasonable and appropriate level” to protect any form of confidential information. The ever-popular 2-step verification for signing into bank accounts and now even Facebook are examples of the acceptance of the “double” rule.

Here is one example of a federal statute that requires specific double-locking measures. https://www.law.cornell.edu/cfr/text/22/1101.5

(4) Where a locked room is the method of security provided for a system, that security shall be supplemented by: (i) Providing lockable file cabinets or containers for the records or (ii) changing the lock or locks for the room so that they may not be opened with a master key. For purposes of this paragraph, a master key is a key which may be used to open rooms other than the room containing records subject to the Act, unless those rooms are utilized by officials or employees authorized to have access to the records subject to the Act.

So, each covered entity will be required to prove that they have taken all reasonable steps to secure PHI. If a breach is made, the entity may be required to prove that it could have done nothing more. The double-locking rule is considered a good-faith effort to reduce the risk of a breach.

HIPAA does say this: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

§ 164.308 Administrative safeguards. (a) A covered entity or business associate must, in accordance with § 164.306:

B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

§ 164.310 Physical safeguards. A covered entity or business associate must, in accordance with § 164.306:

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. (2) Implementation specifications: (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. (iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

All of this being said, the security provisions are left to the discretion of the covered entity. Just be sure you can defend your security measures if they are ever challenged with the question, “What made you believe your protocols were sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?

I hope this helps.

Be Audit-Secure!

Lisa Smith, SPHR, SCP

The post The Double-Locking Rule for Confidential Files: Is it Real or Made-up? appeared first on Your HelpDesk for HR .