Enguard Logo
Technical Safeguards HIPAA

Technical Safeguards are…

A Quick Guide to HIPAA’s Technical Safeguards

The Health Insurance Portability and Accountability Act (HIPAA) governs the use and disclosure of Protected Health Information (PHI). HIPAA requires that a Covered Entity (CE) and a Business Associate (BA) must protect a patient’s medical information. There are three laws outlined within HIPAA regulations: The Privacy Rule, The Security Rule, and The Breach Notification Rule. 

HIPAA laws

The Security Rule contains a subsection of safeguards that were enacted to regulate how HIPAA covered entities protect  Electronic Protected Health Information (ePHI). Safeguards included in The Security Rule are technical safeguards, physical safeguards, and administrative safeguards. The following paragraphs will provide an overview to the technical safeguards outlined under The HIPAA Security Rule. 

The HIPAA Security Rule

The Privacy Rule protects confidential data under HIPAA, while The Security Rule regulates how that data should be protected. More specifically, it outlines what tactics need to be implemented by a CE to protect the integrity of that ePHI.

There are no specific requirements for what types of technology HIPAA covered entities need to utilize to protect sensitive information. Rather, this rule leaves security modalities up to the CE’s discretion, as long as they are reasonable and appropriate.  

Maintaining HIPAA compliance under The Security Rule is important for healthcare providers and other CEs. If a healthcare organizations stores, obtains, or transmits ePHI on a network that is not secured, their data could be compromised. In fact, it is estimated that 94% of healthcare entities may experience a data breach during any given year. Furthermore, the average cost aftermath per healthcare organization is around $2.4 million. 

A covered entity must implement tactics that comply with the technical, physical, and administrative safeguards outlined under The Security Rule. The HHS Office for Civil Rights enforces these rules to help CEs minimize their risk of data breaches.

Technical Safeguards are…

A health plan or care provider that receives maintains, or transmits PHI needs to protect ePHI. In order to properly safeguard ePHI, implementing technical safeguards are paramount to any data security strategy. 

Technical Safeguards are

Under HIPAA law, technical safeguards are defined as, “…the technology used by Covered Entities and Business Associates, and the policies and procedures for its use and access to it.” The Technical Safeguards within HIPAA regulations are the measures a CE and BA must take to securely protect health data.

Technical Safeguards Under The HIPAA Security Rule

The HIPAA Security Rule operates based off of three fundamental concepts– flexibility, scalability, and technology neutrality. These concepts allow a CE to determine what security measures are reasonable and approbate for the size of their healthcare organization. 

Access controls, audit controls, data integrity, authentication, and transmission security are all Technical Safeguards that CE’s must utilize to protect ePHI. However, the ways in which a CE chooses to execute these security measures is left to their discretion. What is a technical safeguard? Examples of what Technical Safeguards are will be listed below.

Access Controls…

…security tactics that only allow authorized personnel to view and handle ePHI. Access controls that HIPAA covered entities need to implement to keep ePHI secure include the following.

  1. A specific user must be assigned to track log-in attempts.
  2. Proper procedures must be in place for accessing ePHI during an emergency.
  3. Any workstations that have access to ePHI must have automatic log-offs enabled. 
  4. Security methods to encrypt and decrypt data must be implemented. 

Audit Controls…

…software, hardware, or policies that are in place to monitor and record user activity that pertains to ePHI. There are no specified audit controls listed under The Security Rule. However, any HIPAA covered entity that handles ePHI needs to regulate the confidential data stored on their servers. 

Data Integrity…

…policies or procedures that are enacted to prevent ePHI from being altered or destroyed. Authenticating ePHI ensures that the original data has not been tampered with by unauthorized personnel.

Authentication…

…the process of identifying an individual attempting to view or access ePHI. Specific qualifications for authentication are not outlined under HIPAA. However, anyone who wishes to handle ePHI in any form must have permission to do so. Additionally, they need to be able to prove that they are who they say they are with verifiable credentials.

Transmission Security…

…methods of data security that maintain the integrity of PHI while it is created, received, or sent electronically. Modalities that healthcare organizations use to protect their sensitive information may include the following.

  1. ePHI must be preserved from alterations and remain undetectable. 
  2. ePHI must be encrypted when the healthcare organization deems it appropriate.
  3. Decryption keys must be stored separately from the data.

Data Encryption

The HIPAA Security Rule does not mention specific methods of protecting data. However, the most effective way to do this is through data encryption. It secures data in transit and at rest by stripping ePHI of all identifiable factors. Thus, should your organization ever experience a data breach, data that is compromised is rendered useless because it is all anonymous. 

Data Encryption

The only way to make encrypted data readable again is with a decryption key. These keys are unique to each form of PHI and should never be shared. Additionally, data security companies with a strong protection will also rotate decryption keys on a consistent basis. Therefore, a CE can take comfort in the fact that the best security practices for securing ePHI are always in place.