What are the Technical Safeguards of HIPAA?

The HIPAA technical safeguards outline what your application must do while handling PHI, according to the HIPAA Security Rule.

While there are both required and addressable elements to these safeguards you should implement them all. Addressable elements (such as automatic logoff) are really just software development best practices.


Access Control Requirements

  • Unique User Identification (required): Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency Access Procedure (required): Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
  • Automatic Logoff (addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Authentication (required): Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  • Encryption and Decryption (addressable): Implement a mechanism to encrypt and decrypt ePHI.

Transmission Security

  • Integrity Controls (addressable): Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
  • Encryption (addressable): Implement a mechanism to encrypt ePHI whenever deemed appropriate.

Audit and Integrity

  • Audit Controls (required): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
  • Mechanism to Authenticate ePHI (addressable): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.