HIPAA Technical Safeguards: Are You Meeting the Requirements?

There’s a good reason the term “HIPAA headache” resonates with healthcare cybersecurity teams: the sheer complexity of the regulations can make it hard to even know whether your organization is currently compliant – let alone do anything about potential breaches. 

One of the biggest contributors to that complexity is the HIPAA Security Rule technical safeguards – a set of requirements that many security teams, especially within smaller healthcare organizations, lack the expertise to evaluate and remediate with confidence. 

This article exists to help you combat that problem, providing a clear overview of the requirements along with a range of best practices to ensure you establish best-in-class security. But before we delve into the details, we need to establish the basics of the technical safeguards. 

What Are the HIPAA Security Rule Safeguards? 

The HIPAA Security Rule is a national set of security standards in the United States designed to protect electronic protected health information (ePHI). It consists of three categories of safeguards: 

1. Physical Safeguards: These are physical measures intended to prevent unauthorized access to ePHI. Examples include policies around workstation access, security clearance procedures to limit access to specific areas in a hospital, guidelines that dictate how a device that has housed ePHI can be disposed of, and more.  
2. Administrative Safeguards: These are administrative policies and procedures designed to protect ePHI. Examples include workforce training, contingency planning, and information access management. 
3. Technical Safeguards: These are measures taken to ensure an organization’s technology and technology policies properly protect ePHI and control access to it. Examples include encrypting ePHI during transmission, requiring multi-factor authentication (MFA) to access ePHI, and scheduling regular data audits to ensure data integrity. 

An Overview of the HIPAA Technical Safeguards 

The HIPAA technical safeguards are broken down into five sets of controls: 

1. Access Controls: Covered entities must ensure access to PHI is limited to only those who absolutely must access it. 
2. Audit Controls: Covered entities must ensure they record and monitor all activity related to ePHI so that they can quickly and accurately identify who has come into contact with specific protected information. 
3. Integrity Controls: Covered entities must ensure PHI is not improperly altered or destroyed in an unauthorized manner. 
4. Authentication Controls: Covered entities must require users to provide identification that shows they are authorized to view ePHI before gaining access.  
5. Transmission Controls: Covered entities must ensure PHI is secure and safe while being transmitted. 

However, this can be overwhelming for many organizations, especially given that many lack experienced in-house teams that are well-versed in the intricacies of the HIPAA Security Rule. Our team has helped thousands of covered entities update their policies and procedures to ensure HIPPA compliance, including comprehensive measures to improve their technical safeguards – and we have established a range of best practices to make technical safeguards robust and optimal. 

Best Practices to Implement HIPAA Technical Safeguards 

1. Access Controls 

The HIPAA Security Rule has three specific access control requirements: 

• Unique User Identification: Every employee must be assigned a unique name and/or number to track their activity relating to ePHI. 
• Emergency Access Procedures: There must be procedures in place to retrieve ePHI during an emergency. 
• Authentication: Any individual or entity requesting access to ePHI must have their identity and authorization verified.  

However, there are several other measures we have found produce optimal results, including: 

• Using role-based access controls to ensure permissions are tailored to an individual’s specific job functions, maintaining strong authentication while limiting friction for authorized individuals. 
• Implementing access monitoring to detect and respond to unauthorized access attempts properly. 
• Installing automatic log-off to ensure workstations end the session after a certain duration of inactivity.

2. Audit Controls 

There is just one official audit control requirement found within the HIPAA Security Rule: entities must have software, hardware, or procedures to record and examine activity in information systems that relate to ePHI. However, we recommend that organizations take further steps by conducting regular audits of access and activity logs related to ePHI to identify anomalies or suspicious activity. 

3. Integrity Controls 

The HIPAA Security Rule requires covered entities to have electronic measures that can verify that ePHI has not been altered or destroyed improperly. Organizations should also implement regular data backups and data validation checks to ensure data integrity.  

4. Authentication Controls 

While authentication controls are somewhat covered under access controls, there are a few important measures that will dramatically increase the security of your ePHI, including: 

• Robust authentication: Covered entities should use Multi-Factor Authentication (MFA) or biometric authentication to access systems and data that contain ePHI.  
• Training: Employees should have robust training to ensure they use strong passwords and understand the value of extensive authentication processes. 

5. Transmission Controls 

Transmission controls can be significantly improved through: 

• Virtual Private Networks: Create policies that ensure any ePHI transfer is undertaken using a VPN and secure connection. 
• Encryption: Implement end-to-end encryption protocols during the transmission of ePHI between networks. 
• Email Protections: Leverage secure email solutions whenever relevant to keep ePHI secure. 

Worried Your Safeguards Are Not Robust? 

HIPAA violations are often not the result of negligence but instead are due to hidden vulnerabilities that the in-house security team missed because their security risk assessment (SRA) was not thorough enough.  

That is why Intraprise Health offers comprehensive compliance assessment services – to help you identify, prioritize, and remediate the risks that could put you on the HHS’s “Wall of Shame.” 

Want to discuss how we could assess and improve your technical safeguards? 

Book a consultation

About the Author

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science. See full bio

Subscribe to the Blog