HIPAA Security Technical Safeguards

Episode 48: Know The Rules! HIPAA Security Technical Safeguards

What are the HIPAA Security Technical Safeguards?

In this week’s “Know The Rules!,” I am diving into the Technical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards, 45 CFR § 164.312.

The HIPAA Security Rule Technical Safeguards are increasingly more important due to advancements in technology used in healthcare.

The Security Rule defines Technical Safeguards as:

The technology and the policies and procedures for its use that protect ePHI and control access to it.

As technology improves, new security challenges emerge, Covered Entities (CEs) and Business Associates (BAs) face challenges in securing the electronic protected health information (ePHI) from various internal and external risks. To reduce these risks, CEs and BAs must implement technical safeguards.

The Technical safeguards and their implementation specifications are:
Note: (R) = Required      (A) = Addressable

  1. Access Control – 45 CFR 164.312(a)(1)
    • Unique User Identification – (R)
    • Emergency Access Procedure – (R)
    • Automatic Logoff – (A)
    • Encryption and Decryption – (A)
  2. Audit Controls – 45 CFR 164.312(b)
  3. Integrity – 45 CFR 164.312(c)(1)
    • Mechanism to Authenticate ePHI – (A)
  4. Person or Entity Authentication – 45 CFR 164.312(d)
  5. Transmission Security – 45 CFR 164.312(e)(1)

The following table contains a list of possible Security Components, Examples of Vulnerabilities and Examples of Security Mitigation Strategies for the Technical Safeguards.

Technical Safeguards

The Security Rule does not require specific technology solutions.

Determining which measure to implement is a decision CEs and BAs must make based on what is reasonable and appropriate for their specific organization, given their own unique characteristics, as specified in § 164.306(b) the Security Standards: General Rules, Flexibility of Approach.

Some solutions may be costly, especially for smaller CEs and BAs. While cost is one factor CEs and BAs may consider when deciding on the implementation of a particular security measure, it is not the only factor.

The Security Rule is clear that reasonable and appropriate security measures must be implemented, see 45 CFR 164.306(b), and that the General Requirements of § 164.306(a) must be met.

Together with reasonable and appropriate Administrative and Physical Safeguards, successful implementation of the Technical Safeguards standards will help ensure that a CE or BA will protect the confidentiality, integrity and availability of ePHI.

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Technical Safeguards



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.