ePHI Safeguards Checklist: Administrative, Technical, and Physical Controls

Use this ePHI safeguards checklist to operationalize administrative, technical, and physical controls that align with the HIPAA Security Rule and complement the HIPAA Privacy Rule. Each section translates core requirements into practical steps you can implement and verify.

Throughout the checklist, you will see essential concepts woven in, including Risk Analysis, Access Control Standards, Encryption Standards, Audit Trail Requirements, and Transmission Security Protocols. Apply them consistently to reduce exposure, prove due diligence, and sustain compliance.

Conduct Risk Assessments

Define scope and assets

Map where ePHI is created, received, maintained, processed, or transmitted, including EHRs, backups, endpoints, cloud services, and third parties. Identify users, workflows, interfaces, and data flows to ensure your Risk Analysis covers every location ePHI can exist.

Analyze threats, vulnerabilities, and impact

For each asset, list realistic threat events (loss, theft, ransomware, misconfiguration, insider misuse) and related vulnerabilities. Estimate likelihood and impact, then score risk to prioritize remediation. Document inherited controls from vendors and residual risk you accept.

Create and maintain a risk register

Record risks, owners, target treatments, and due dates. Track mitigation progress and re-score after control changes. Reassess at least annually and whenever systems, vendors, or processes change, and after incidents to capture new lessons learned.

Develop Security Policies and Procedures

Establish a complete policy set

Publish clear policies for access control, acceptable use, workforce security, incident response, breach notification, device and media controls, encryption, logging, contingency planning, and vendor management. Align the policy suite to the HIPAA Security Rule while honoring permitted uses and disclosures under the HIPAA Privacy Rule.

Operationalize with procedures and training

Create step-by-step procedures that staff can follow without guesswork. Assign a Security Officer, define approval workflows, and train workforce members on role-specific responsibilities. Implement sanctions for noncompliance and maintain auditable acknowledgments.

Keep policies current

Review policies on a fixed cadence and upon major changes. Version-control updates, record rationales, and test procedures through tabletop exercises and drills to ensure readiness and continuous improvement.

Secure Facility Access

Control physical entry

Restrict access to data centers, network closets, and records rooms using badges, keys, biometrics, or mantraps. Maintain visitor logs, escort procedures, and camera coverage. Periodically review access lists to remove former staff and contractors.

Protect workstations and media

Position screens away from public view, enable privacy filters where needed, and enforce automatic screen locks. Store removable media securely; track custody for movement of servers, laptops, and drives. Apply tamper-evident seals for critical equipment.

Plan for environmental and emergency events

Provide fire suppression, clean power, and climate controls for sensitive rooms. Include site-specific evacuation, disaster recovery, and alternative site plans so ePHI remains available and intact during disruptions.

Enable Access Controls

Identity and authentication

Issue unique user IDs and require multi-factor authentication for privileged, remote, and administrative access. Disable shared accounts, enforce strong secrets, and rotate credentials regularly. Document emergency access procedures and test them.

Authorization and session security

Implement least privilege via role-based access and just-in-time elevation. Enforce automatic logoff, session timeouts, and device inactivity locks. Segment networks and restrict APIs to uphold Access Control Standards across applications and services.

Review and recertify access

Run periodic access reviews for all systems handling ePHI. Remove stale accounts promptly, validate break-glass usage, and monitor for excessive permissions or anomalous behavior tied to user roles.

Implement Audit Controls

Capture meaningful audit trails

Log who accessed which records, when, from where, and what actions were taken, including view, create, edit, export, print, delete, and administrative changes. Include authentication events, privilege escalations, and data transmissions to meet Audit Trail Requirements.

Protect and review logs

Timestamp with synchronized time, centralize logs, and restrict access to prevent tampering. Establish alerting for suspicious patterns—after-hours bulk queries, mass exports, or failed logins—and investigate promptly with documented outcomes.

Retention and reporting

Define retention periods consistent with organizational policy and applicable obligations. Automate reports for access anomalies, break-glass events, and high-risk activities to enable leadership oversight and rapid remediation.

Use Encryption

Transmission security

Enforce TLS 1.2+ (preferably TLS 1.3) for web, APIs, and email gateways, and use secure file transfer and VPNs for administrative sessions. Disable weak ciphers and protocols to meet Transmission Security Protocols and reduce downgrade risks.

Encryption at rest

Apply full-disk or volume encryption on servers, databases, endpoints, and backups using modern Encryption Standards such as AES-256. Ensure mobile devices, removable media, and cloud storage encrypt ePHI by default, with startup protections and secure boot.

Key management

Protect keys in hardware or dedicated services, separate duties, rotate and revoke keys on schedule, and back them up securely. Log key operations and maintain auditable ownership to sustain confidentiality and continuity.

Maintain Equipment Security

Asset inventory and baselines

Maintain a real-time inventory of all endpoints, servers, medical devices, and media that may store or process ePHI. Define hardened configuration baselines and verify compliance continuously.

Endpoint protection and maintenance

Standardize EDR/antimalware, host firewalls, and device encryption. Patch operating systems, applications, and firmware promptly, and restrict removable media and unauthorized software to limit attack surface.

Disposal and reuse

Sanitize or destroy media before reuse or disposal, record chain-of-custody, and verify erasure. Decommission systems with a checklist that includes data migration, access removal, and secure wipe steps.

Conclusion

Together, disciplined Risk Analysis, robust policies, strong access and audit controls, validated Encryption Standards, and vigilant facility and equipment safeguards form a defensible ePHI security posture. Apply this checklist iteratively to reduce risk and demonstrate compliance with the HIPAA Security Rule and the HIPAA Privacy Rule.

FAQs

What are administrative safeguards for ePHI?

Administrative safeguards are the policies, procedures, and oversight mechanisms you use to manage security—risk analysis and management, workforce training, sanctions, incident response, contingency planning, vendor oversight, and assigned security responsibility. They set expectations and direct how technical and physical measures are implemented and audited.

How do technical safeguards protect electronic PHI?

Technical safeguards enforce who can access ePHI and how it is protected in systems. They include unique IDs, multi-factor authentication, role-based authorization, automatic logoff, audit logging with monitoring, integrity checks, and encryption for data in transit and at rest using approved Transmission Security Protocols and Encryption Standards.

What physical controls are required for ePHI?

Physical safeguards limit and monitor access to facilities and equipment. They cover facility access controls (badges, keys, visitor logs, cameras), workstation security (screen placement, locks), and device and media controls (inventory, storage, transport, sanitation, and disposal) to prevent unauthorized physical access or tampering.

How often should risk assessments be conducted?

Perform a comprehensive Risk Analysis at least annually, and whenever significant changes occur—new systems, vendors, locations, or major process updates—or after security incidents. Update the risk register and remediation plans accordingly to keep controls aligned with your current threat landscape.