HIPAA Mandates Covered Entities Have Specific Safeguards: Requirements and Examples

HIPAA mandates that covered entities and their business associates implement specific safeguards to protect electronic protected health information (ePHI). This guide translates those requirements into practical steps and examples you can apply to your environment while aligning with ePHI protection policies and day‑to‑day operations.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and governance mechanisms that drive your security program. They define how you manage risk, assign responsibility, and respond to incidents across the organization.

Core Requirements

• Security management process: perform a security risk analysis, prioritize risks, and document corrective actions (risk management plan and timelines).
• Assigned security responsibility: designate a security official to develop, implement, and enforce the program.
• Workforce security and information access management: onboard/terminate access promptly and enforce minimum necessary use of ePHI.
• Security awareness and training: provide ongoing, role‑based education and reminders (see Workforce Training).
• Security incident procedures: establish incident response procedures that define identification, containment, notification, and post‑incident learning.
• Contingency planning: maintain a data backup plan, disaster recovery plan, and emergency mode operations; test and update them regularly.
• Periodic evaluations: conduct technical and nontechnical evaluations to measure control effectiveness and program maturity.
• Business associate management: execute, monitor, and retain business associate agreements that bind vendors handling ePHI to equivalent protections.

Documentation and Retention

Maintain and retain policies, procedures, risk analyses, decisions, and evidence (including logs used to support compliance) for at least six years from their creation or last effective date. Keep versions and rationale for major decisions to demonstrate due diligence.

Examples

• A written annual security plan that maps controls to identified risks, with owners and deadlines.
• A documented breach escalation path with 24/7 contacts, playbooks, and tabletop exercise records.
• Vendor due‑diligence questionnaires tied to BAAs and risk ratings that drive contract controls.

Physical Safeguards

Physical safeguards protect facilities, workstations, and devices that store or process ePHI. They reduce risks from loss, theft, tampering, and environmental hazards.

Facility and Workstation Controls

• Facility access controls: badge systems, visitor logs, camera coverage, and documented access reviews.
• Workstation use and security: screen privacy filters, automatic screen locks, and approved locations for handling ePHI.
• Device and media controls: tracked inventories, secure storage, and chain‑of‑custody records for moves and repairs.

Secure Disposal and Reuse

• Sanitize or destroy media (e.g., cryptographic erasure, shredding) before disposal or reuse.
• Back up ePHI prior to relocation and verify restorability after transfer.

Examples

• Locked server rooms with environmental monitoring and redundant power.
• Cable locks for nursing‑station laptops and lockers for staff‑assigned tablets.
• Documented wipe certificates for decommissioned drives and MFP hard disks.

Technical Safeguards

Technical safeguards are the electronic information system controls that enforce confidentiality, integrity, and availability of ePHI across applications, networks, and devices.

Access Control

• Unique user IDs, multi‑factor authentication, and emergency “break‑glass” access with oversight.
• Automatic logoff and session timeouts for shared workstations and clinical apps.
• Encryption and decryption capabilities to protect ePHI on endpoints and servers.

Audit Controls

• Comprehensive logging for EHR views, downloads, changes, and exports across systems.
• Audit trail requirements: centralized log collection, tamper‑evident storage, alerting, and documented retention aligned to policy.

Integrity and Authentication

• Integrity controls such as digital signatures or hashing to detect unauthorized alteration.
• Person or entity authentication to verify users, services, and devices before granting access.

Transmission Security

• Encryption in transit for APIs, portals, email, and telehealth (e.g., modern TLS for network traffic).
• Message integrity checks and safeguards against replay or downgrade attacks.

Examples

• SIEM alerts for anomalous chart access and mass export behavior.
• Digital signing of clinical documents with verification logs.
• Automated revocation of stale accounts through HRIS integration.

Risk Assessment

A documented security risk analysis is the foundation of HIPAA compliance. It identifies where ePHI lives, what could go wrong, and how you will reduce those risks to a reasonable and appropriate level.

How to Execute

• Inventory ePHI repositories, data flows, applications, devices, and vendors.
• Identify threats, vulnerabilities, and existing controls; assess likelihood and impact.
• Calculate risk levels, prioritize remediation, and assign owners and due dates.
• Record decisions, including alternatives chosen and why they are reasonable and appropriate.
• Reassess after significant changes (systems, locations, vendors, mergers) and on a routine cadence.

Examples

• Gap analysis revealing unsecured legacy imaging archives, resulting in network segmentation and encryption at rest.
• Vendor assessment leading to additional contractual controls and tokenization for claims data.

Encryption

Encryption is an addressable safeguard, meaning you must implement it when reasonable and appropriate or document an equivalent alternative. In practice, encryption is a primary defense that aligns with data encryption standards and materially reduces breach exposure.

Data at Rest

• Full‑disk or file‑level encryption for servers, endpoints, and mobile devices handling ePHI.
• Database or storage‑layer encryption with centralized key management and role separation.
• Encrypted backups with periodic restore testing and off‑site protection.

Data in Transit

• Modern TLS for application traffic, VPNs for administrative access, and secure email gateways or message portals.
• Mutual authentication for APIs and service‑to‑service communications.

Key Management

• Use validated cryptographic modules, rotate keys, protect keys in HSMs or secure vaults, and restrict operator access.
• Document cipher choices and exceptions, tying them to risk analysis outcomes.

Examples

• Encrypting mobile device storage with remote wipe and automatic lock after inactivity.
• Tokenizing identifiers before moving data to analytics platforms.

Access Control

Access control ensures only authorized users and devices can use ePHI, following authorized access protocols and the minimum necessary standard.

Policy and Governance

• Role‑based or attribute‑based access models with separation of duties and least privilege.
• Joiner‑mover‑leaver processes that grant, adjust, and revoke access quickly.
• Periodic access reviews for privileged and high‑risk roles, with documented approvals.

Technical Enforcement

• SSO with MFA, conditional access (location, device posture), and just‑in‑time elevation for administrators.
• Automatic session termination and re‑authentication for sensitive actions.
• Network access controls for clinical networks and secure onboarding of medical IoT.

Monitoring and Auditability

• Audit trail requirements tied to investigations: who accessed what, when, from where, and what changed.
• Behavior analytics to detect snooping, bulk downloads, or after‑hours anomalies.

Examples

• “Break‑glass” workflows with secondary review and post‑event justification.
• Quarterly access recertification for EHR superusers and billing exports.

Workforce Training

People are your front line. A strong program combines awareness, hands‑on practice, and reinforcement tied to real patient‑care scenarios.

Program Elements

• New‑hire and annual training with role‑based modules for clinicians, revenue cycle, research, and IT.
• Micro‑learning and phishing simulations with feedback and targeted refreshers.
• Clear reporting channels and drills that exercise incident response procedures and downtime workflows.
• Attestations, quizzes, and documented sanctions for policy violations.

Topics to Cover

• Recognizing and reporting suspected breaches, ransomware, and lost devices.
• Secure messaging, telehealth etiquette, and safe cloud/app usage with ePHI.
• Password hygiene, MFA usage, and handling of printed records and removable media.

Measuring Effectiveness

• Track completion rates, assessment scores, and incident trends to improve content.
• Retain training records and updates with your ePHI protection policies repository.

Conclusion

HIPAA’s safeguards work together: administrative policies set expectations, physical measures protect spaces and devices, and technical controls enforce them. By grounding decisions in a current risk analysis and strengthening encryption, access, logging, and training, you create a defensible, practical program that protects patients and supports clinical care.

FAQs

What are the key HIPAA safeguards for covered entities?

They include administrative safeguards (policies, risk management, incident handling, contingency plans), physical safeguards (facility, workstation, and device protections), and technical safeguards (access control, audit controls, integrity, authentication, and transmission security). Together they ensure reasonable and appropriate protection of ePHI across people, places, and systems.

How often must covered entities perform risk assessments?

HIPAA requires an ongoing, documented risk analysis with periodic review. You should reassess whenever major changes occur—such as new systems, facilities, or vendors—and on a routine cadence (commonly annually) to confirm controls still reduce risks to a reasonable and appropriate level.

What technical controls are required to protect ePHI?

Required technical controls include unique user identification, audit controls, integrity protections, person or entity authentication, and transmission security. Implement access control features like MFA and automatic logoff, maintain comprehensive audit trails, and use encryption capabilities for data at rest and in transit where reasonable and appropriate.

How does HIPAA mandate workforce training?

HIPAA mandates security awareness and training for all workforce members. Training should be role‑based, recurring (at hire and periodically), and cover policy expectations, secure handling of ePHI, recognizing and reporting incidents, and downtime procedures. Maintain records of completion, assessments, and corrective actions to demonstrate compliance.