What are HIPAA Technical Safeguards?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA, PL104-191) was enacted to protect the privacy and availability of health insurance coverage and medical information. The law’s primary goals include protecting health insurance coverage for workers and their families in the event that the insured employee changes or loses a job, safeguarding the security and confidentiality of patient health information, and establishing standards for the electronic exchange of health care information. HIPAA required the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To that end, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule establishes national standards for the protection of certain health information, and the Security Rule establishes national security standards for the protection of certain health information that is held or transferred in electronic form.
The Security Rule requires that covered entities maintain reasonable and appropriate safeguards for protecting electronic patient health information (e-PHI) in three distinct areas: administrative, technical, and physical. The Security Rule defines technical safeguards in 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguards are becoming increasingly more important due to technological advancements in the health care industry; as technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protecting e-PHI, such as electronic health records, from various internal and external risks. To reduce risks to e-PHI, covered entities must implement technical safeguards. The following are the four standards for technical safeguards:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access e-PHI.
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
If a covered entity knows of an activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation, the covered entity must take reasonable steps to cure the breach or end the violation. Violations include the failure to implement safeguards that reasonably and appropriately protect e-PHI.
1 HHS.gov, 2023, “Summary of the HIPAA Security Rule”