HIPAA’s technical safeguards are designed to protect electronic protected health information (ePHI) by controlling access, tracking system activity, preventing improper changes, verifying user identity, and securing data in transit. Understanding the five technical safeguard standards (and the difference between required vs. addressable implementations) helps covered entities and business associates identify common compliance gaps, implement reasonable protections, and strengthen their overall HIPAA security posture.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney or compliance professional when interpreting HIPAA regulations.
The HIPAA Security Rule was first published in 2003 to set standards for safeguarding electronic protected health information (ePHI). The regulation established three types of safeguards: physical, administrative, and technical. All three work together to ensure that covered entities and their business associates implement reasonable and appropriate measures to secure sensitive information.
The technical safeguards are the least "visible" of the three. They operate in the background but still serve a very important purpose. These safeguards help covered entities and business associates protect against accidental access and malicious cyberattacks. This blog will evaluate the technical safeguards by defining the five standards, common mistakes, and why it all matters.
Before evaluating the implementation specifics in the following standards, it’s important to understand how HIPAA defines required and addressable. Required implementations must be present. As with many aspects of HIPAA, there is leeway on how they are implemented, but there is no avoiding them.
Many think that addressable implementations mean optional. That's not exactly correct. It simply means that an organization must implement if it is reasonable and appropriate for their situation. If it is not, they must document their findings, and implement an alternative if appropriate.
Access controls are designed to limit ePHI access to authorized users. Only those who need to use ePHI to do their job should be able to. This standard includes four implementation specifications:
Audit controls are important for responding to incidents and breaches. They help administrators trace access events and react accordingly. HIPAA does not mention specific tools, so the exact methods are up to the covered entity. However, they should still pay close attention to the official language:
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
This means that every situation can be different depending on scope and risk. Some may be adequately covered by basic system logs, while others might require more advanced logging, alerting, and review processes.
Integrity controls ensure that ePHI is not improperly altered or destroyed. This standard includes one implementation specification:
Authentication controls align with access controls to ensure only authorized users can access ePHI. This standard also has no implementation specifications but requires that individuals must have a way to prove their identity. This can be a unique password, key, smart card, or biometric method. Covered entities must evaluate what is appropriate for their situation.
This standard governs protections for ePHI as it is sent between locations. It includes two implementation specifications:
Many common mistakes involve accidental breaches, rather than intentional cyberattacks. It’s very easy to overlook required technical protections for the sake of convenience. For instance, many smaller practices use one shared communications account. This makes it easy to manage, but it can also create problems regarding access controls. There is no individual user identification or unique password protection, and it’s difficult to audit.
It's also common for providers to use platforms that are not ready to meet HIPAA’s technical standards by default. A great example is using certain types of Gmail accounts to transfer ePHI. Personal accounts are a great option for everyday use but many forget that they might not be configured with the necessary safeguards for use with sensitive health information.
These are just a few examples. There are many more situations that can easily lead to unauthorized ePHI access. It’s important to work with your team to evaluate your unique case.
It’s important to understand that the technical safeguards are just one piece of the puzzle. The Security Rule also contains physical and administrative safeguards that work in conjunction with the technical safeguards to ensure ePHI is properly protected.
Physical safeguards involve physical protections against improper ePHI access. Examples include physical barriers, locked doors, secure workstations, and privacy screens. Administrative safeguards are the brains of the operation. They ensure that covered entities follow policies and procedures that are standardized, repeatable, and enforceable. They stipulate that organizations must maintain relevant documentation, conduct trainings, and perform regular risk assessments.
Covered entities must evaluate all systems that have ePHI flows to ensure they’re meeting the technical standards. Additionally, every new system that gets onboarded into their ecosystem should be vetted before adoption. If it is impossible to be configured with reasonable and appropriate safeguards, it’s smarter to find an alternative.
It can seem like a daunting task, but with regular reviews and risk assessments, organizations can ensure that they are keeping up with the necessary requirements. It can also be helpful to consult with a compliance professional to assist with these tasks.
In many cases, business associates may have a more defined scope that comes with increased volume. This is because they are often vendors that are interacting with ePHI in very specific ways, so it is easier to monitor the flows. However, the tradeoff is that they are generally performing these operations for more than one client. It can be easier to outline the required processes, but it still takes due diligence to ensure that the policies are being followed.
If you feel your organization could use another look at its technical safeguards, it’s worth taking a moment to get your bearings. The first step should be to work with your team to identify any potential compliance gaps. It is important to document these as well so you can prove that your organization is taking compliance seriously and can demonstrate that you implemented the proper corrective actions before an incident occurs.
Depending on the size and complexity of your organization, a dedicated compliance professional could bring a lot of value. They know exactly what to look for and how to help covered entities and business associates implement compliant practices.
After you’ve corrected course, it’s important to stay up to date on your required documentation, logging, and training. You also should be sure to continue conducting regular risk assessments to monitor for hidden issues.
HIPAA does not require perfection. It requires reasonable and appropriate safeguards. Organizations that are continually finding ways to improve their safeguards are putting themselves in the best position to succeed. By aligning with the technical safeguards in this blog, you can bring your organization one step closer to compliance.