The 5 Standards for HIPAA’s Technical Safeguards

HIPAA’s definition of Technical Safeguards: “The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Standard #1: Access Control where system permissions are granted on a need-to-use basis.

  • Give your employees a Unique User Identification to track and limit their activity.
  • Create an Emergency Access Procedure to obtain necessary ePHI even during emergencies.
  • Secure employee access by implementing Automatic Logoff after a set amount of inactivity.
  • ePHI should have Encryption and Decryption processes while in transit, at rest and in use.

Standard #2: Audit Controls are required for system oversight. There must be a way to review and record all ePHI activity. This helps in determining if a security violation occurred.

Standard #3: Integrity of the ePHI has to be protected against unauthorized alterations or deletion with electronic mechanisms to prove it.

Standard #4: Person or Entity Authentication serves to verify an individual’s access to ePHI. Some examples are (but not limited to) PINs, passwords, keycards and biometrics.

Standard #5: Transmission Security states that ePHI must be guarded from unauthorized access while in transit. Make sure you’re sending information over secure networks and platforms.


If you’ve gotten this far, you basically just read through 17 pages of HHS jibber jabber!