Are Technical Safeguards Required under HIPAA? What OCR Expects in 2025 and How to Prove Compliance

Yes—technical safeguards are required under the HIPAA Security Rule for any environment that creates, receives, maintains, or transmits electronic protected health information (ePHI). In 2025, the Office for Civil Rights (OCR) continues to expect demonstrable, risk-based controls aligned to modern cryptographic standards, continuous monitoring, and clear documentation. The HIPAA Security Rule NPRM signals a more prescriptive direction, especially around encryption, multi-factor authentication (MFA), asset inventories, and testing.

This guide translates those expectations into practical steps and evidence you can use to prove compliance, mapping each topic to a technical safeguard implementation specification where applicable.

Mandatory Encryption Requirements

What “mandatory” means under the Security Rule

Encryption is an addressable implementation specification, not optional. In practice, OCR treats strong encryption as the default for ePHI at rest and in transit; if you elect not to encrypt in a particular scenario, you must document why it is not reasonable and appropriate and implement an effective alternative control. Your security risk analysis should make that rationale explicit and traceable.

Encryption in transit

Protect ePHI over networks using modern protocols such as TLS 1.2+ (ideally TLS 1.3). Apply this to external and internal traffic, including APIs, patient portals, email gateways, and remote administration. Disable deprecated cipher suites and legacy protocols, and enforce certificate validation and forward secrecy to meet contemporary cryptographic standards.

Encryption at rest and key management

Enable full-disk, file, or database encryption for servers, endpoints, mobile devices, and backups that store ePHI. Use FIPS 140-3 validated cryptographic modules where feasible, with AES-256 or equivalent strength. Centralize key management, rotate keys per policy, restrict key access, and log all key lifecycle events to support integrity and non-repudiation.

Compensating controls and documentation

When encryption is impracticable—such as certain medical devices—document compensating controls (network isolation, strict access controls, microsegmentation, tamper resistance). Record decisions, responsible owners, review dates, and risk acceptance. The HIPAA Security Rule NPRM underscores aligning such decisions with current cryptographic standards and defensible risk treatment.

Multi-Factor Authentication Implementation

Scope and coverage

Implement MFA for remote access, privileged accounts, administrative consoles, EHR systems, cloud applications, and third-party/vendor access. Favor phishing-resistant authenticators (FIDO2/WebAuthn or platform-bound authenticators) over SMS. Apply step-up authentication for high-risk actions such as ePHI export, account elevation, or configuration changes.

Lifecycle and exceptions

Integrate MFA into identity lifecycle: enforce it at onboarding, require it for break-glass accounts with time-limited access, and remove it immediately at termination. For systems that cannot support MFA, document technical constraints, apply compensating controls (jump hosts, network segmentation, monitored sessions), and track remediation targets.

Proving MFA compliance

Maintain policies, access control standards, and screenshots of enforcement settings. Export MFA coverage reports from your identity provider, list privileged accounts with MFA status, and retain authenticator enrollment logs. Tie each artifact to your security risk analysis and evaluation records for audit readiness.

Network Segmentation Policies

Objectives and scope

Segment networks to minimize lateral movement and isolate ePHI systems. Separate production from development/test, restrict administrative networks, and place high-risk or legacy systems in tightly controlled enclaves. Apply zero trust principles—authenticate and authorize at each boundary, and deny by default.

Controls to implement

Use VLANs, firewalls, microsegmentation, and network access control to enforce least privilege between segments. In cloud environments, segment with VPCs, security groups, and network policies. Limit third-party connectivity to the minimum necessary and broker it through monitored jump points with MFA.

Validation and continuous monitoring

Test segmentation routinely with rule reviews, path analysis, and attack-simulation tools. Monitor east–west traffic for policy violations, and maintain up-to-date diagrams that show ePHI data paths. Continuous monitoring alerts should map to your change management process to prevent drift.

Annual Technical Inventory and Data Mapping

Asset inventory

Create a single source of truth for all assets that touch ePHI: servers, endpoints, mobile devices, medical devices, cloud services, containers, and data stores. Tag systems that create, receive, maintain, or transmit ePHI, and capture ownership, location, patch status, and data classification.

Data flow mapping

Map where ePHI is collected, processed, stored, transmitted, and archived, including backups and analytics. Document flows to business associates and maintain signed BAAs. Where appropriate, request a business associate compliance certification or attestation to strengthen due diligence, recognizing that OCR does not grant official HIPAA certifications.

Evidence to retain

Export inventory reports, CMDB extracts, and discovery tool outputs. Keep current architecture diagrams highlighting ePHI repositories and interfaces. Reconcile your map against DLP findings, audit logs, and billing/usage data to avoid blind spots.

Enhanced Security Risk Assessments

Security risk analysis and management

Perform a thorough security risk analysis at least annually and upon major changes. Identify reasonably anticipated threats to ePHI, evaluate likelihood and impact, and document risk treatment plans. Track progress via a risk register with accountable owners and due dates.

Methodologies and scope depth

Use established methods (for example, NIST-style approaches) to evaluate access control, audit controls, integrity protections, authentication, and transmission security. Include ransomware scenarios, supply chain risk, third-party connectivity, and backup/restore resilience in scope.

Recognized security practices and continuous monitoring

Demonstrate adoption of recognized security practices over the prior 12 months (such as aligned controls and metrics). Pair the assessment with continuous monitoring—SIEM, EDR, vulnerability scanning, configuration baselines—so findings and fixes are data-driven and timely.

Regular Security Measures Review and Testing

Control assurance cadence

Establish a formal review and testing program that aligns to your risk profile. Examples include daily log reviews, monthly vulnerability scanning, quarterly segmentation and backup restore tests, and annual penetration testing and incident response exercises. Adjust frequencies based on threat intelligence and audit results.

Testing depth and criteria

Define success criteria for each test (e.g., recovery time objectives, exploitability thresholds, coverage percentages). Record scope, methodology, evidence, and remediation outcomes. Feed results into your evaluation process so lessons learned translate into improved controls.

Documenting and Proving Compliance

Build an audit-ready evidence portfolio

Maintain a mapped set of artifacts for each technical safeguard implementation specification: policies and procedures, encryption configurations, MFA coverage reports, network diagrams, firewall rulesets, vulnerability and patch metrics, and logging/audit evidence. Keep BAAs, vendor risk assessments, and any business associate compliance certification or equivalent attestation on file.

Traceability, metrics, and retention

Link every control to a risk, an owner, and a measurable outcome. Track metrics such as encryption coverage, MFA adoption, mean time to patch, and incident response time. Retain required documentation for at least six years, including past versions, approvals, and meeting minutes to show ongoing governance.

Conclusion

Technical safeguards under HIPAA are mandatory, and in 2025 OCR expects encryption, MFA, segmentation, inventories, enhanced risk analysis, and continuous monitoring to be demonstrably in place. Treat the HIPAA Security Rule NPRM as a signal to formalize and test these controls, and maintain audit-ready evidence to prove compliance.

FAQs

What are the mandatory technical safeguards under HIPAA?

HIPAA requires technical safeguards that include access control, audit controls, integrity protections, person or entity authentication, and transmission security. While some implementation specifications are “addressable,” OCR expects strong encryption, robust authentication (often MFA), logging, and integrity controls for ePHI, or a documented, risk-based alternative with equivalent protection.

How often must security measures be reviewed and tested?

Review and test controls on a risk-based cadence, no less than annually and whenever major changes occur. Maintain continuous monitoring, perform periodic evaluations, run vulnerability scans monthly or quarterly, test restores and segmentation at least quarterly, and conduct penetration tests and incident response exercises annually.

How can entities prove compliance with updated HIPAA technical safeguards?

Assemble an evidence portfolio: security risk analysis reports, encryption and key management documentation, MFA coverage and policy attestations, network segmentation diagrams and test results, continuous monitoring dashboards, remediation records, BAAs and vendor assessments, and meeting minutes. Ensure artifacts map to each technical safeguard implementation specification and show sustained operation.

What changes does the OCR propose for HIPAA technical safeguards in 2025?

The HIPAA Security Rule NPRM emphasizes clearer, more prescriptive expectations around encryption of ePHI at rest and in transit, broader use of MFA (particularly for remote and privileged access), formalized asset inventories and data mapping, continuous monitoring, and regular testing. It reinforces alignment to current cryptographic standards and stronger vendor oversight, while preserving HIPAA’s risk-based framework.