What Are Technical Safeguards?
Technical safeguards are the technology and the policy and procedures for its use that protect ePHI and control access to it. They represent the layer of protection most familiar to IT professionals — access controls, audit logging, encryption, and authentication. The Security Rule specifies five technical safeguard standards, recognizing that the specific technology used will evolve over time while the security objectives remain constant.
1. Access Controls
Covered entities must implement technical policies and procedures that allow only authorized persons or software programs to access ePHI. Implementation specifications include:
- Unique user identification (Required) — Assign a unique name and/or number for identifying and tracking user identity. Shared accounts for accessing ePHI are not compliant because they prevent individual accountability.
- Emergency access procedure (Required) — Establish procedures for obtaining necessary ePHI during an emergency. Break-glass procedures for urgent clinical access must be defined and logged.
- Automatic logoff (Addressable) — Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and decryption (Addressable) — Implement a mechanism to encrypt and decrypt ePHI. While addressable, encryption of ePHI at rest is widely considered a best practice and failure to encrypt requires documented justification.
2. Audit Controls
Covered entities must implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit logs should capture who accessed ePHI, when, from where, and what actions they took. Audit logs must be reviewed regularly as part of information system activity review, and the logs themselves must be protected from tampering. Audit controls are a required standard with no implementation specifications — the covered entity must determine what audit controls are appropriate for its environment.
3. Integrity Controls
Covered entities must implement policies and procedures to protect ePHI from improper alteration or destruction. The addressable implementation specification is authentication mechanisms — electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. This may be implemented through checksums, digital signatures, hash functions, or other integrity verification mechanisms that detect unauthorized changes to ePHI.
4. Person or Entity Authentication
Covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. This is a required standard. Authentication factors include something you know (password, PIN), something you have (smart card, token), and something you are (biometric). Multi-factor authentication (MFA) — requiring two or more factors — is widely recognized as a best practice and is increasingly expected by OCR. Many HIPAA enforcement cases have involved breaches that could have been prevented by MFA.
5. Transmission Security
Covered entities must implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Implementation specifications include:
- Integrity controls (Addressable) — Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
- Encryption (Addressable) — Implement a mechanism to encrypt ePHI whenever deemed appropriate. For ePHI transmitted over open networks (the internet, email), encryption is virtually always appropriate. TLS for data in transit is the standard approach.
Covered entities should evaluate all transmission pathways for ePHI — including email, file transfers, APIs, VPN connections, and health information exchange — and implement appropriate encryption and integrity controls for each.