Checklist: Implement the 3 Major Safeguards to Secure PHI

Protecting protected health information requires a practical, repeatable checklist that aligns policy, people, and technology. The three major safeguards—administrative, physical, and technical—work together to reduce risk to PHI and ePHI. Use this guide to translate requirements into concrete actions, including risk assessments, workforce training, security incident reporting, and resilient backup and recovery.

Administrative Safeguards

Program governance and accountability

Establish security leadership and decision rights. Designate a security officer responsible for coordinating privacy and security controls, setting priorities, and reporting to executives. Define how security exceptions are approved and reviewed to maintain accountability.

Policies, procedures, and ePHI access governance

Create written policies for acceptable use, access provisioning, and minimum-necessary use of PHI. Formalize ePHI access controls through role-based access, approval workflows, and periodic access recertification. Document sanctions for violations to drive consistent enforcement.

Third parties and data lifecycle

Map where PHI resides and moves across systems and vendors. Require security assurances in contracts, including breach notification duties, encryption requirements, and audit cooperation. Specify retention and disposal practices to limit unnecessary exposure.

Administrative checklist

• Appoint a security officer and define governance forums and cadence.
• Publish policies for access management, acceptable use, and device handling.
• Implement joiner-mover-leaver processes and quarterly access reviews.
• Embed security incident reporting steps in procedures and staff playbooks.
• Include security requirements in vendor agreements and track adherence.

Physical Safeguards

Facility access controls

Restrict entry to areas where PHI is stored or processed. Use badge access, visitor logs, camera coverage for ingress/egress, and secure rooms or cabinets for servers, networking gear, and paper records. Define escort policies for vendors and visitors.

Workstations, devices, and media

Position workstations to prevent shoulder surfing, apply privacy screens, and lock devices when unattended. Control portable media through encryption, sign-out logs, and documented disposal methods such as shredding or certified destruction.

Environmental and continuity considerations

Safeguard equipment with climate control, fire suppression, and uninterruptible power supplies. Maintain documented site maps and emergency procedures to preserve availability during outages.

Physical checklist

• Implement facility access controls with badges, logs, and periodic audits.
• Secure server rooms; limit keys and regularly reconcile access lists.
• Use cable locks, privacy screens, and automatic screen locks.
• Encrypt, track, and sanitize portable media before reuse or disposal.
• Test UPS and environmental alarms; document emergency shutdown steps.

Technical Safeguards

Access controls for ePHI

Enforce ePHI access controls with unique user IDs, multi-factor authentication, least privilege, and session timeout. Segregate administrative accounts and prohibit shared credentials. Apply network segmentation to isolate systems that handle PHI.

Encryption standards and transmission security

Protect data in transit and at rest using widely accepted encryption standards. Require TLS for all network transmissions and full-disk or database encryption for stored ePHI. Manage keys securely with restricted access and rotation schedules.

Audit control mechanisms and monitoring

Enable audit control mechanisms to capture access, changes, and administrative actions across applications, databases, and endpoints. Centralize logs, set alerts for anomalous behavior, and retain records long enough to support investigations.

Data integrity verification

Preserve accuracy and completeness with hashing, checksums, digital signatures, and application-level validation. Use write-once storage for critical logs and backups, and monitor for unauthorized changes with file integrity monitoring.

Technical checklist

• Require MFA, strong passwords, and least-privilege role design.
• Mandate TLS for all interfaces and encrypt ePHI at rest.
• Centralize logs; alert on failed logins, privilege changes, and mass exports.
• Implement data integrity verification and automatic session timeouts.
• Harden endpoints with patching, EDR, and device encryption.

Conducting Risk Assessments

Method and scope

Catalog systems, data flows, users, and third parties that create, receive, maintain, or transmit PHI. Identify threats, vulnerabilities, and existing controls to establish a baseline risk picture.

Evaluate likelihood and impact

Rate scenarios by how likely they are to occur and the impact on confidentiality, integrity, and availability. Consider operational disruption, financial exposure, and patient safety when scoring impact.

Treatment planning and documentation

Prioritize high-risk items, select mitigation options, assign owners and deadlines, and track progress. Document your methodology, findings, and decisions for transparency and future audits.

Risk assessment checklist

• Define scope and inventory assets handling PHI and ePHI.
• Identify threats, vulnerabilities, and existing controls.
• Score likelihood and impact; calculate inherent and residual risk.
• Publish a remediation plan with milestones and metrics.
• Review at least annually and after major changes or incidents.

Workforce Training

Role-based education

Tailor training to roles: clinicians, front office, IT, billing, and contractors. Emphasize how each role interacts with PHI, expected behaviors, and common pitfalls like misdirected emails or improper device use.

Reinforcement and measurement

Use short modules, simulated scenarios, and quick-reference guides to keep knowledge current. Track completion, test comprehension, and coach individuals who need reinforcement.

Training checklist

• Onboard staff with PHI handling, privacy, and security basics.
• Refresh training annually and when policies or systems change.
• Embed security incident reporting steps in all courses.
• Record attendance, scores, and acknowledgments for auditability.

Incident Response Procedures

Preparation and reporting

Define what constitutes a security incident and how employees report it. Publish a 24/7 contact method and escalation matrix to ensure rapid security incident reporting.

Triage, containment, and eradication

Classify incidents by severity, isolate affected systems, revoke compromised credentials, and preserve forensic evidence. Coordinate with legal, privacy, and leadership throughout the response.

Recovery and lessons learned

Restore from clean backups, verify system integrity, and monitor for recurrence. Conduct post-incident reviews to capture root causes and update controls, training, and playbooks.

Incident response checklist

• Publish an incident definition, reporting channels, and on-call roster.
• Maintain runbooks for phishing, ransomware, data exposure, and outages.
• Pre-stage forensic tooling and evidence handling guidelines.
• Document actions, decisions, and notifications end to end.

Data Backup and Recovery

Backup strategy and scope

Back up all systems that store or process PHI, including cloud services and endpoints. Define recovery time and recovery point objectives that meet clinical and business needs.

Protection, testing, and resilience

Apply encryption to backups, restrict access, and maintain offsite or immutable copies. Test restores regularly to validate integrity and performance, and automate verification to catch silent corruption.

Contingency planning

Develop runbooks for system failures, ransomware, and site outages. Align contingency planning with communication templates, alternate workflows, and supplier contacts to sustain care delivery during disruptions.

Backup and recovery checklist

• Implement the 3-2-1 rule: three copies, on two media, one offsite/immutable.
• Encrypt backups, rotate keys, and monitor access attempts.
• Test restores quarterly; document results and remediation.
• Map dependencies and prioritize critical systems for staged recovery.

Conclusion

By operationalizing administrative, physical, and technical safeguards—and reinforcing them with disciplined risk assessments, workforce training, incident response, and resilient backups—you create a durable security posture for PHI and ePHI. Treat this checklist as a living program: review it routinely, measure outcomes, and continuously improve.

FAQs

What are the 3 major safeguards for protecting PHI?

The three major safeguards are administrative, physical, and technical controls. Together they establish policies and accountability, secure facilities and devices, and implement ePHI access controls, encryption, monitoring, and integrity protections.

How do administrative safeguards help secure PHI?

Administrative safeguards provide governance through policies, role-based access, workforce oversight, vendor requirements, and defined security incident reporting. They align people and processes so technical and physical controls are applied consistently.

What technical measures protect ePHI during transmission?

Use strong encryption standards for all network traffic, enforce TLS for APIs and portals, require MFA, and monitor with audit control mechanisms. Validate data integrity during transfers with hashing or digital signatures.

How should physical access to ePHI be controlled?

Apply facility access controls such as badge readers, visitor logging, camera coverage, and locked rooms or cabinets. Combine these with workstation placement, privacy screens, and secure media handling to prevent unauthorized viewing or removal.