HIPAA9 min read

HIPAA Technical Safeguards

Technical safeguards are the technology and related policies that protect electronic Protected Health Information (ePHI). For technology companies, these are often the most straightforward to implement since they align with modern security best practices.

This guide details each technical safeguard required by the HIPAA Security Rule and provides practical implementation guidance for SaaS and technology companies.

Key Takeaways

Aspect Details
Categories Access control, audit controls, integrity, authentication, transmission
Required vs addressable Some specifications are required; others addressable
Risk-based Implementation should be based on risk assessment
Documentation All decisions and implementations must be documented

Quick Answer: Technical safeguards cover access controls (unique IDs, MFA, encryption), audit logging, data integrity, authentication, and transmission security. Most modern SaaS companies already implement many of these controls; the key is ensuring completeness, documentation, and alignment with HIPAA requirements.

Technical Safeguard Overview

The HIPAA Security Rule defines five technical safeguard standards:

Standard Reference Purpose
Access Control §164.312(a) Limit ePHI access to authorized persons
Audit Controls §164.312(b) Record and examine ePHI system activity
Integrity §164.312(c) Protect ePHI from improper alteration
Person/Entity Authentication §164.312(d) Verify identity before granting access
Transmission Security §164.312(e) Protect ePHI during transmission

Access Control (§164.312(a))

Access control is the foundation of ePHI protection. It ensures only authorized individuals can access health information.

Unique User Identification (Required)

Requirement: Assign a unique name and/or number for identifying and tracking user identity.

What this means:

  • Every user has a unique identifier
  • No shared accounts
  • User actions can be tracked individually
  • Identifiers aren't reused

Implementation:

Text 
Requirements:
- Unique username or ID for each user
- Integration with identity provider (IdP)
- User provisioning and deprovisioning processes
- Tracking of all active user accounts

Common approaches:
- Email addresses as unique identifiers
- Employee ID numbers
- UUID-based user IDs
- SSO with enterprise IdP

Common mistakes:

  • Shared service accounts for applications
  • Generic "admin" or "support" accounts
  • Reusing identifiers after employee departure

Emergency Access Procedure (Required)

Requirement: Establish procedures for obtaining necessary ePHI during an emergency.

What this means:

  • Define what constitutes an emergency
  • Document how to access ePHI when normal processes fail
  • Ensure availability during system outages
  • Balance emergency access with security

Implementation:

Text 
Emergency access plan should cover:
- Definition of emergency situations
- Break-glass procedures for emergency access
- Logging of all emergency access
- Post-emergency review process
- Alternative access methods if primary fails

Example scenarios:
- Primary authentication system down
- Key personnel unavailable
- Disaster recovery situations
- Urgent patient care needs

Automatic Logoff (Addressable)

Requirement: Implement electronic procedures that terminate sessions after inactivity.

What this means:

  • Sessions timeout after period of inactivity
  • User must re-authenticate to continue
  • Prevents unauthorized access to unattended sessions

Implementation:

Text 
Recommended configurations:
- Web applications: 15-30 minute session timeout
- API tokens: Short-lived (1 hour or less)
- Admin sessions: 15 minutes or less
- Workstation screen lock: 5-15 minutes

Technical approaches:
- Session timeout in application code
- Idle timeout in identity provider
- Screen lock policies on endpoints
- Token expiration for APIs

If you determine this is not reasonable:

  • Document the rationale
  • Implement equivalent alternative measures
  • Consider risk factors (workstation location, data sensitivity)

Encryption and Decryption (Addressable)

Requirement: Implement mechanisms to encrypt and decrypt ePHI.

What this means:

  • Encrypt ePHI at rest
  • Use appropriate encryption algorithms
  • Manage encryption keys securely

Implementation:

Text 
Encryption at rest:
- Database encryption (AES-256)
  - AWS RDS: Enable encryption
  - GCP Cloud SQL: Enable encryption
  - Azure SQL: Enable TDE
- File storage encryption
  - S3: Server-side encryption (SSE)
  - GCS: Default encryption
  - Azure Blob: Encryption at rest
- Full disk encryption on endpoints
  - macOS FileVault
  - Windows BitLocker
  - Linux LUKS

Encryption standards:
- AES-256 for symmetric encryption
- RSA-2048+ for asymmetric encryption
- Use cloud provider KMS for key management
- Rotate keys according to policy

Key management considerations:

  • Who has access to encryption keys?
  • How are keys rotated?
  • Where are keys stored?
  • What happens if keys are compromised?

Audit Controls (§164.312(b))

Requirement: Implement hardware, software, and/or procedural mechanisms to record and examine activity in systems containing ePHI.

What to Log

Event Category Specific Events
Authentication Login success, login failure, logout, MFA events
Authorization Access granted, access denied, privilege changes
Data access ePHI queries, views, exports, downloads
Data modification Creates, updates, deletes of ePHI
Administrative User management, config changes, policy changes
Security Alerts triggered, incidents, policy violations

Log Content Requirements

Each log entry should include:

Text 
Required fields:
- Timestamp (UTC, precise)
- User identifier
- Action performed
- Resource accessed
- Outcome (success/failure)
- Source IP address

Recommended fields:
- Session identifier
- User agent/client info
- Geographic location
- Request parameters (sanitized)
- Response code

Log Storage and Protection

Text 
Requirements:
- Retain logs for 6 years (HIPAA documentation requirement)
- Protect logs from tampering
- Ensure logs are accessible when needed
- Back up logs appropriately

Implementation:
- Centralized log aggregation (SIEM, log management)
- Write-once or append-only storage
- Separate access controls for log access
- Encrypted log storage
- Cross-region replication for durability

Log Review and Monitoring

Text 
Processes:
- Automated alerting for security events
- Regular log review (daily/weekly)
- Anomaly detection
- Incident investigation using logs

Alert triggers:
- Multiple failed login attempts
- Access outside normal hours
- Large data exports
- Admin actions
- Access from new locations

Integrity (§164.312(c))

Standard: Implement policies and procedures to protect ePHI from improper alteration or destruction.

Mechanism to Authenticate ePHI (Addressable)

Requirement: Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Implementation:

Text 
Data integrity controls:
- Checksums or hashes for stored data
- Digital signatures where appropriate
- Database integrity constraints
- Version control for records
- Audit trail of modifications

Validation approaches:
- Input validation
- Output encoding
- Database constraints (foreign keys, check constraints)
- Application-level validation

Backup integrity:
- Verify backup integrity regularly
- Test restoration procedures
- Checksums on backup files
- Monitor for backup failures

Practical implementation:

  • Use database transactions for data modifications
  • Implement optimistic locking to prevent conflicts
  • Log all data modifications with before/after values
  • Regular integrity checks on stored data

Person or Entity Authentication (§164.312(d))

Requirement: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.

Authentication Methods

Method Strength Use Case
Password Low Legacy, always combined with MFA
MFA (TOTP) Medium-High Standard user authentication
MFA (Hardware key) High Privileged access, high-risk users
Biometric Medium-High Device unlock, convenience
Certificate-based High System-to-system, privileged access
SSO/Federation Varies Enterprise integration

Implementation Requirements

Text 
User authentication:
- Strong password policy (length > complexity)
- Multi-factor authentication required
- Account lockout after failed attempts
- Password change procedures
- Credential reset with identity verification

System-to-system authentication:
- API keys or tokens (short-lived)
- Certificate-based authentication
- OAuth 2.0 / OpenID Connect
- Service accounts with minimal privileges
- Regular credential rotation

Best practices:
- No plaintext password storage
- Use bcrypt, scrypt, or argon2 for password hashing
- Implement rate limiting on authentication endpoints
- Monitor and alert on suspicious authentication patterns

MFA Implementation

Text 
MFA requirements:
- Required for all ePHI access
- Required for administrative access
- Backup authentication methods available
- MFA enrollment process documented

MFA options:
- Authenticator apps (Google Authenticator, Authy)
- Hardware security keys (YubiKey, Titan)
- Push notifications (Duo, Okta Verify)
- SMS (less secure, acceptable as backup)

Configuration:
- Enable MFA at identity provider level
- Enforce MFA for all users, not just admins
- Require MFA re-enrollment periodically
- Monitor for MFA bypass attempts

Transmission Security (§164.312(e))

Standard: Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks.

Integrity Controls (Addressable)

Requirement: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.

Implementation:

  • TLS provides integrity through MAC (Message Authentication Code)
  • Application-level checksums where appropriate
  • Digital signatures for critical data

Encryption (Addressable)

Requirement: Implement a mechanism to encrypt ePHI whenever deemed appropriate.

Implementation:

Text 
In-transit encryption requirements:
- TLS 1.2 or higher for all connections
- HTTPS required, HTTP rejected
- Strong cipher suites only
- Certificate validation

Web application:
- HTTPS everywhere (no mixed content)
- HSTS headers
- Secure cookies (Secure, HttpOnly, SameSite)
- Certificate pinning for mobile apps

API security:
- TLS required for all API endpoints
- Mutual TLS (mTLS) for service-to-service
- API authentication required
- Rate limiting and throttling

Email:
- Avoid PHI in email when possible
- Use secure messaging platforms
- If email necessary, use encryption (S/MIME, PGP)
- Consider email alternatives for PHI

File transfer:
- SFTP, SCP, or HTTPS for file transfers
- No FTP, Telnet, or unencrypted protocols
- Encrypted file containers if needed

TLS configuration best practices:

Text 
Supported protocols:
- TLS 1.3 (preferred)
- TLS 1.2 (minimum)
- TLS 1.1, 1.0, SSL: DISABLED

Cipher suites (example for TLS 1.2):
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- Avoid: RC4, DES, 3DES, MD5

Certificate requirements:
- 2048-bit RSA or 256-bit ECC minimum
- SHA-256 or stronger hash
- Valid certificate chain
- Not expired or revoked

Technical Safeguards Checklist

Access Control

  • Unique user identification implemented
  • No shared accounts
  • Emergency access procedures documented
  • Automatic session timeout configured
  • Encryption at rest implemented
  • Key management procedures documented

Audit Controls

  • Logging enabled on all ePHI systems
  • Authentication events logged
  • Data access logged
  • Administrative actions logged
  • Logs retained for 6+ years
  • Log monitoring and alerting implemented
  • Regular log review process

Integrity

  • Data validation implemented
  • Database integrity constraints in place
  • Modification audit trail maintained
  • Backup integrity verified
  • Checksums/hashes used where appropriate

Authentication

  • Strong authentication implemented
  • MFA required for ePHI access
  • MFA required for admin access
  • Password policy enforced
  • System-to-system authentication secure
  • Credential rotation procedures

Transmission Security

  • TLS 1.2+ required for all connections
  • HTTPS enforced, HTTP rejected
  • Strong cipher suites configured
  • Certificate management procedures
  • Internal traffic encrypted where appropriate

Common Technical Safeguard Gaps

Gap 1: Inadequate Logging

Problem: Logging exists but doesn't capture enough detail for audit.

Solution: Review logs against requirements, add missing event types, ensure retention meets 6-year requirement.

Gap 2: MFA Not Universal

Problem: MFA only required for some users or systems.

Solution: Require MFA for all users accessing ePHI, including developers and support staff.

Gap 3: Development Environment Access

Problem: Developers have production ePHI access for debugging.

Solution: Use de-identified data in development, implement proper data masking, restrict production access.

Gap 4: Service Account Management

Problem: Service accounts with broad access, no rotation.

Solution: Implement least privilege for service accounts, regular credential rotation, monitoring of service account usage.

Gap 5: Legacy Systems

Problem: Older systems don't support modern encryption or authentication.

Solution: Isolate legacy systems, implement compensating controls, plan for modernization.

How Bastion Helps

Bastion helps technology companies implement technical safeguards:

  • Gap assessment: Identify missing or inadequate controls
  • Implementation guidance: Configure controls correctly
  • Architecture review: Ensure security architecture supports HIPAA
  • Documentation: Document implementations and decisions
  • Validation: Verify controls work as intended

Ready to strengthen your technical safeguards? Talk to our team

Sources

← PreviousHIPAA for SaaS CompaniesNext →HIPAA Risk Assessment Guide
Back to HIPAA guides