What are the Objectives of the HIPAA Technical Safeguards?

HIPAA Technical Safeguards

The objectives of the HIPAA Technical Safeguards – together with the Physical and Administrative Safeguards – are to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) via a series of standards and implementation specifications. However, technology alone cannot achieve these objectives, and it is necessary for covered entities and business associates to implement policies and procedures that support the objectives of the HIPAA Technical Safeguards.

The HIPAA Technical Safeguards can be found in ยง164.312 of the Security Rule. They consist of five standards relating to:

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Authentication Controls
  • Transmission Security

The five standards are explained in more detail below with details of how they help achieve the objectives of the HIPAA Technical Safeguards and what covered entities and business associates need to consider when deploying technologies and implementing policies and procedures.

Access Controls

The access controls standard protects electronic PHI and access to it by requiring covered entities and business associates to implement policies and procedures that restrict access to systems and devices that maintain electronic PHI in compliance with the Information Access Management Standard of the Administrative Safeguards (ยง164.308(a)(4)).

This means the policies and procedures must only allow โ€œappropriate accessโ€ to authorized members of the workforce and software systems that have been granted access rights. The policies and procedures must also prevent unauthorized members of the workforce and software system from accessing electronic PHI.

To ensure they meet the requirements of this standard, covered entities and business associates must comply with four implementation specifications:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist
  • Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic PHI during an emergency.
  • Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic PHI.

With regards to the two โ€œAddressableโ€ implementation specifications (and all further Addressable implementation specifications in the HIPAA Technical Safeguards), covered entities and business associates must implement the specifications unless an assessment identifies they are unreasonable and inappropriate for protecting electronic PHI.

If an assessment identifies that an implementation specification is unreasonable and inappropriate, covered entities must implement an equally effective measure or document why the implementation specification or an alternative measure is not necessary. With regards to the two addressable access controls, it is difficult to conceive of alternatives that would be equally effective as those listed in the standard.

Audit Controls

The audit controls standard requires covered entities and business associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. The purpose of this control is to record who accessed systems containing electronic PHI and what they did while they were logged in.

Because HIPAA is technology neutral, the HIPAA Technical Safeguards do not explain how to comply with this standard. Therefore, it is possible for covered entities and business associates to comply with this standard by implementing mechanisms that record activity for review after an event has occurred โ€“ effectively retrospective protection of electronic PHI.

However, it is possible to deploy audit controls that automatically trigger alarms when a user strays from their permitted activities or when a specified event occurs (i.e., AWS CloudTrail or equivalent). The alarms can trigger security solutions that (for example) lock users out of a system or device before they are able to compromise the confidentiality, integrity, or availability of data.

Although automating audit controls increases the administrative overhead, it has the advantages of mitigating the likelihood of an unauthorized third party impermissibly accessing electronic PHI with an authorized userโ€™s login credentials, a malicious insider deliberately compromising electronic PHI, or an authorized user making a genuine mistake that results in a breach of electronic PHI.

Integrity Controls

The integrity controls standard requires covered entities and business associates to implement policies and procedures to protect electronic PHI from improper alteration or destruction, yet has a sole addressable implementation specification requiring the implementation of mechanisms to corroborate data has not been altered or destroyed in an unauthorized manner.

If you reverse โ€œpolicies and proceduresโ€ and โ€œthe implementation of mechanismsโ€, covered entities and business associates can comply with this standard by implementing access controls and audit controls configured to give authorized users read-only or least privilege access, and that flag anomalous alterations or deletions or allow/require alterations and deletions to be reviewed.

Authentication Controls

The authentications controls standard is very loosely worded inasmuch as it requires covered entities and business associates to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. Issuing each authorized user with a unique password or PIN (as required by the Access Controls above) would satisfy this requirement.

However, considering the extent of password sharing in healthcare, one has to question whether this is sufficient to adequately meet the objectives of protecting electronic PHI and controlling access to it. Therefore, covered entities and business associates may want to consider additional measures such as biometric login or multi-factor authentication for some accounts.

Transmission Security

The transmission security standard is a good example of when it is difficult to find suitable alternatives to addressable implementation specifications, as the addressable implementation specifications for this standard require covered entities and business associates to implement integrity controls and encryption to ensure the confidentiality and integrity of electronic PHI in transit.

Therefore, unless electronic PHI is being transmitted within an enclosed network with no remote access available (which would make it difficult to comply with the Emergency Access Procedures above), covered entities and business associates are effectively required to implement robust integrity controls and encrypt electronic PHI in transit to comply with this standard of HIPAA.

Complying with the HIPAA Technical Safeguards

As mentioned above, HIPAA is technology neutral. Therefore, there is no help available from HHSโ€™ Office for Civil Rights for covered entities or business entities finding it difficult to comply with the HIPAA Technical Standards. Because HIPAA is technology neutral, there is also no guidance on the nature of HIPAA training that should be provided in a security awareness program.

However, technology is evolving at a rapid pace and there are solutions available now that did not exist when the HIPAA Technical Safeguards were originally published. Covered entities and business associates that are finding it difficult to comply with the HIPAA Technical Safeguards should speak with compliance experts that have experience in automation and compliance-as-code solutions. These solutions are becoming simpler to understand, deploy, and configure, and can help covered entities and business associates more easily comply with the Security Rule as a whole and support the objectives of the HIPAA Technical Safeguards.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/