HIPAA Technical Safeguards Protect PHI

Technical Safeguards Protect PHI
Technical Safeguards Protect PHI


Why Technical Safeguards?

HIPAA technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. Technical safeguards are important due to constant technology advancements in the health care industry. They are key elements that help to maintain the safety of EPHI as the internet changes.   One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI).   This would include protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI, covered entities must implement technical safeguards.  

Comply with Technical Safeguards

The Security Rule requires a covered entity to comply with the HIPAA Technical Safeguard standards and certain implementation specifications.  A covered entity may use any security measures that allow it to reasonably and appropriately do so.

Define “Technical Safeguards”

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”  

This rule is based on several fundamental concepts.  These concepts include:

  • Flexibility
  • Scalability
  • Technology neutrality

As they are written there are no specific requirements identified for types of technology to implement.  It is entirely up to a covered entity to determine what security measures and specific technologies are reasonable and appropriate for implementation within the entity.

Solutions vary in nature depending on the organization.   The Security Rule requires that reasonable and appropriate measures must be implemented and that the General Requirements of the rule must be met. That is the most important requirement.

Implementing “The Security Rule”

In the Security Standards under General Rules, Flexibility of Approach, provides the entity with important guidance for focusing on decisions a covered entity must consider when selecting security measures such as technology solutions.  Once an organization has completed the required risk analysis and risk management process the entity will be able to make the appropriate informed decisions.

The Rule allows the use of security measures but there is no specific technology that is required.  The guidance given is that the entity should reasonably and appropriately implement the Standards and implementation specifications.  As a result of this the covered entity must determine which security measures and specific technologies are reasonable and appropriate for implementation in its organization.  

Technical Standards:

Standard: Access Control

This first standard is meant to outline the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

It provides users with rights and/or privileges to access and perform functions using programs, files information systems and applications.  Ideally it should provide access to the minimum necessary information required to perform a duty within the organization. This access should be granted based upon a set of access rules the covered entity implements as part of “Information Management Access”outlined in the Administrative Safeguards section of the Rule.

The standard requires a covered entity to:

“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Information Access Management.”

There are many different combinations of access control methods and technical controls that can be used to accomplish these objectives.  Whatever method is used it should be appropriate for the role and/or function of the workforce member.

There are four implementation specifications:

  • Unique User identification (Required)
  • Emergency Access Procedure (Required)
  • Automatic Logoff (Addressable)
  • Encryption and Decryption (Addressable)

Unique User Identification (Required)

According to this implementation specification, a covered entity is directed to do the following:

“Assign a unique name and/or number for identifying and tracking user identity.”

A user identification is a process used to identify a specific user of an information system, typically by name and/or number.  This identifier will allow an entity to track specific user activity when that user is logged into an information system.  By doing so It will enable an entity to hold users accountable for functions performed on information systems with EPHI when logged into those systems. 

There are no specified formats described by the Rule for identification.  A Covered entity must determine the best user identification strategy based on their workforce and their operations.

Emergency Access Procedure

Under this implementation specification the organization is asked to:

“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  

There must be procedures which are well documented and instructions that will allow an entity to have access to EPHI during emergency situations.  An entity must determine the types of situation that would require emergency access to information systems.  Examples to consider would be loss of power or hijacking of data.

Automatic Logoff

Under this implementation specification the organization is asked to:

“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Automatic logoff from a system is a common approach to protecting inadvertent access to workstations. It is an effective way to prevent unauthorized users from accessing EPHI on a workstation left unattended.

Encryption and Decryption

Under this implementation specification the covered entity is asked to consider:

“Implement a mechanism to encrypt and decrypt electronic protected health information.”  

This is an addressable system and should be put into effect when it is a reasonable and appropriate safeguard for a covered entity.  Encryption is a method of converting messages into encoded text using an algorithim.  By using this technique there is low probability anyone other than the intended recipient who has the key may read the information.  There are many ways to encrypt or technologies to protect data from being inappropriately accessed.  It is up to the entity to decide if this is necessary.

When the Security Rule was enacted they recognized the rapid advances in technology. Consequently, it would be very difficult to give guidelines that change regularly. For this reason, they chose not to require specific safeguards.  It is up to the organization to do a careful risk assessment.   Based on this, they may create the appropriate mechanism to protect ePHI.  Presently the use of encryption of ePHI is an effective tool.  It is a good safeguard for the safe transmission of email and texts through the cloud.  In many cases this has become the standard for the transmission of sensitive data in healthcare and in the business world.

Standard:  Audit Controls

Audit controls are key in monitoring and reviewing activity in the system to protect its EPHI.

The standard requires a covered entity to:

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Information systems must have some level of audit control with the ability to provide reports.  These controls are useful for auditing system activity in the face of a security violation.

The Security Rule does not identify specific data to be gathered by the audit controls.  It is up to the covered entity to consider this after a risk analysis and to determine the most reasonable and appropriate for audit control for their systems that contain EPHI.

Standard: Integrity

Integrity is defined in the Security Rule, as “the property that data or information have not been altered or destroyed in an unauthorized manner.”

The standard requires a covered entity to:

“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”

The reason for this standard is to establish and implement policies and procedures for protecting EPHI from being compromised regardless of the source.  It will help prevent work force members from making accidental or intentional changes and thus altering or destroying EPHI.  It may also help prevent alterations caused by electronic media errors or failures.

There is one addressable implementation specification.

Mechanism to Authenticate Electronic Protected Health Information

If it is reasonable and appropriate a covered entity must:

“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”

A covered entity must do a risk analysis and determine from this the various risks to the integrity of EPHI.  This will help define the security measures necessary to reduce the risks.

Standard:  Person or Entity Authentication

Authenticating the individual who has access to the system is very important in the establishment of technical safeguards.

This standard requires a covered entity to:

“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”  

This implementation specification requires a system of identification to verify that a person is who they are before getting access to the system.  There are many ways of accomplishing this such as passwords, PINs, smart cards, tokens, keys or biometrics.

The mechanism used will depend on the organization.  Most organizations rely on a password or PIN.  If the credential entered match those of the system, the user is then allowed access.

Standard: Transmission Security

It is important to guard all transmissions of electronic protected health information.

This standard requires a covered entity to:

“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

Once a covered entity has completed a risk analysis they will review and understand the current method used to transmit EPHI.  Consider if it is sent by email, internet, a network or texting.  Once these methods are reviewed the entity can determine the best way to protect EPHI.

There are two implementation specifications:

  • Integrity Controls
  • Encryption

Integrity Controls

Based on a risk analysis If this is an implementation specification that is reasonable and appropriate, the covered entity must:

“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

Integrity in the context of this implementation focuses on making sure the EPHI is not improperly modified during transmission.  This may be accomplished by using network protocols that confirm the data that was sent is the data is received.


After a risk analysis if this implementation specification is a reasonable and appropriate safeguard the covered entity must:

“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

As mentioned earlier under the Access Control standard, encryption is a method of converting messages into an encoded or unreadable text that is later decrypted into comprehensible text.  This is an addressable implementation, similar to that under Encryption and Decryption.

Encryption works only if the sender and receiver are using the same or compatible technology.  The Security Rule allows covered entities the flexibility to determine when, with whom and what method of encryption to use. 

In Conclusion

HIPAA technical safeguards are important due to technology advancements as they help to protect EPHI in today’s environment.  It is crucial for all covered entities and business associates who deal with electronic PHI to review their use of Technical Safeguards to be fully in compliance.  

We are available to discuss Technical Safeguards with your organization.