What Are HIPAA Technical Safeguards? Explanation and Examples

The documentation and exchange of patient information are important aspects of delivering quality care. Patients entrust providers and facilities to not only track their medical histories, but also keep their personal data secure. With technology continuing to advance within the healthcare industry, HIPAA technical safeguards are necessary for combatting both old and new security challenges.

But, what are technical safeguards, exactly, and how do healthcare facilities employ them? We’ll walk through everything you need to know about these HIPAA procedures and how they help protect electronically stored patient health data, as well as examples to help you develop the right procedures for your facility.

HIPAA Safeguards: Overview

The Health Insurance Portability and Accountability Act (HIPAA) security rule outlines a set of federal regulations that protect the confidentiality and privacy of electronic patient health information (ePHI). Facilities are expected to implement three main types of security procedures to remain compliant with HIPAA:

1. Administrative safeguards are the policies and procedures designed to detect and prevent security violations of ePHI.
2. Physical safeguards are the policies and procedures designed to limit the physical access to ePHI.
3. Technical safeguards are the technical policies and procedures that restrict access to the electronic information systems maintaining the ePHI.

In this guide, we’ll dive into the details of technical safeguards. You can also visit the HHS resource center for an overview of these categories.

What Are HIPAA Technical Safeguards?

HIPAA defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it.” This essentially refers to all of the recommended strategies that facilities can use to protect the confidentiality, integrity, and accessibility of electronically stored patient data.

HIPAA doesn’t require the adoption of specific types of technical security measures. However, facilities are expected to implement relevant safeguards to meet basic security standards and avoid preventable violations. HIPAA outlines the following five essential types of technical safeguards.

HIPAA Technical Safeguards: Examples

Below we’ll provide a more detailed overview of the different types of technical safeguards and examples of how facilities can take measures to employ them.

1. Access Controls

Access controls are policies and procedures that grant authorized staff the ability to access systems containing protected health information (PHI), such as electronic health records (EHR). Access should be limited so that staff can retrieve just the minimum amount of PHI needed to perform their job duties. At baseline, facilities should have procedures that enable employee identification, emergency PHI retrieval, log-off automation, and PHI encryption.

Example Procedures:

• Require staff to swipe ID cards or input unique usernames to access computers.
• Revoke computer access once staff leave the facility or no longer require PHI.
• Back-up all data systems for situations where PHI access may be compromised.

2. Audit Controls

Audit controls refer to any automatic or manual procedures used to review, analyze, and track how PHI is recorded in electronic information systems. HIPAA doesn’t mandate specific types of information that should be collected from audits, so facilities should decide what data is most useful to review for their security needs.

Example Procedures:

• Track all log-ins and log-offs, in addition to unsuccessful access attempts.
• Monitor all general activity by users who are inputting and reading PHI.
• Create a log of each time new PHI is created, edited, or deleted.

3. Integrity Controls

Integrity controls refer to procedures that prevent unauthorized alteration or destruction of PHI. With staff regularly going in and out of patient charts to record information, it’s common for PHI to be changed unintentionally through human or technological errors. However, integrity controls work to prevent inappropriate data altering, regardless of the cause.

Example Procedures:

• Automate a pop-up confirmation before PHI can be deleted.
• Require electronic signatures from staff who are editing PHI.
• Implement checksum verification procedures during audits.

4. Person or Entity Authentication

Person or entity authentication refers to procedures used to verify the identity of individuals who are trying to access PHI. These safeguards are used to ensure that an individual requesting access is actually the person that they’re claiming to be. Requiring proof of identity helps reinforce the protections from other access controls that require authorization.

Example Procedures:

• Require individualized passwords or PINs each time staff log-in to systems.
• Provide physical tokens, such as cards or keys, that must be used to access PHI.
• Scan biometrics, such as fingerprints or facial patterns, each time staff enter the unit.

5. Transmission Security

The final technical safeguards are procedures related to transmission security. Patient health information is often transferred electronically between different health centers throughout the care process. These technical security measures ensure that the information can’t be intercepted or accessed during these exchanges.

Example Procedures:

• Obtain consent from patients if exchange of PHI is necessary for care.
• Use secure servers to transfer PHI and minimize direct email exchanges.
• Encrypt all attachments or documents containing PHI prior to an exchange.

Is Your Facility HIPAA Compliant?

Employing HIPAA technical safeguards is one of many strategies that facilities can use to protect the security and privacy of their patients. Stay connected with IntelyCare so you don’t miss out on the latest compliance tips and insights, and other free resources for your facility.