HIPAA Security Rule Technical Safeguards List: 164.312 Control-by-Control Checklist

This control-by-control checklist translates 45 CFR 164.312 into practical steps you can implement to protect electronic protected health information. It aligns each technical safeguard with actionable tasks, evidence to retain, and pitfalls to avoid so you can operationalize ePHI access controls with confidence.

Under HIPAA, some specifications are “required” and others are “addressable.” Addressable does not mean optional; it means you must implement the measure or document an equivalent alternative based on risk. Use this checklist to drive remediation, audits, and continuous improvement.

Implement Access Control Policies

Access control is your first layer of defense. Define how users obtain, use, and lose access to ePHI across systems, devices, APIs, and third-party services. Policies should enforce least privilege, separation of duties, and documented approvals for every access grant.

Translate policy into procedures for identity lifecycle events—hire, transfer, termination—and ensure privileged access is elevated only when necessary and fully traceable. Map roles to application privileges and review them on a fixed cadence.

Checklist

• Define an access control policy covering ePHI access controls, roles, emergency access, third-party access, and remote work.
• Create a role-to-privilege matrix for each system containing ePHI; enforce least privilege and segregation of duties.
• Standardize joiner–mover–leaver procedures with ticketed approvals and timely deprovisioning.
• Require multi-factor authentication for remote, privileged, and high-risk ePHI access.
• Implement break-glass procedures with strict conditions, automatic alerts, and post-event review.
• Govern vendor and service account access through contracts, BAAs, time-bound credentials, and scoped permissions.
• Segment networks and applications to isolate ePHI from general user zones.
• Document exceptions and compensating controls in your risk analysis.

Evidence to retain

• Access control policy, role matrices, and approval records.
• Quarterly or semiannual access recertification results and remediation logs.
• Exception register with risk decisions and expiration dates.

Common pitfalls

• Shared or generic accounts obscuring accountability.
• Stale privileges after role changes or terminations.
• Unmonitored vendor access paths into ePHI systems.

Assign Unique User Identifiers

(Required) Every workforce member and system user must have a unique ID that ties actions to a single individual. Unique IDs enable precise attribution, audit trail management, and effective incident response.

Eliminate shared logins. Bind each ID to HR records and automate provisioning via an identity provider to maintain consistency across applications, databases, and endpoints.

Checklist

• Adopt a unique user ID standard and prohibit shared accounts for interactive access.
• Integrate identity and access management to propagate IDs to all ePHI systems.
• Use separate, auditable service accounts for non-interactive tasks with minimal scope.
• Enforce user authentication protocols such as MFA for privileged and remote sessions.
• Disable default vendor accounts and rename built-in admin IDs where supported.
• Ensure suspended or terminated users are promptly disabled across all systems.

Evidence to retain

• User ID standard, provisioning procedures, and sample account inventories.
• Logs demonstrating one-to-one mapping between user IDs and individuals.

Establish Emergency Access Procedures

(Required) Define how authorized personnel obtain necessary ePHI during emergencies such as EHR downtime, disasters, or life-safety events. Access must be rapid, minimal, and fully logged.

Coordinate emergency mode operations with business continuity and disaster recovery plans. Train responders and test regularly so the process works under pressure.

Checklist

• Designate emergency roles and least-privilege ePHI entitlements for those roles.
• Implement break-glass mechanisms with automatic alerts, time limits, and audit logs.
• Pre-stage alternates: read-only data views, backup systems, and downtime forms.
• Document manual identity verification steps if standard authentication is unavailable.
• Run and document drills at least annually; track lessons learned and corrective actions.

Evidence to retain

• Emergency access procedures, drill reports, and post-incident reviews.
• Logs showing emergency access use and subsequent access revocation.

Configure Automatic Logoff Systems

(Addressable) Reduce exposure from unattended sessions by enforcing inactivity timeouts and automatic logoff. Apply risk-based values by context and sensitivity.

Include workstations, virtual desktops, admin consoles, web apps, mobile devices, and APIs. Align session management across SSO, applications, and gateways to avoid gaps.

Checklist

• Set workstation screen lock after short inactivity, followed by session termination per risk tolerance.
• Enforce shorter timeouts for kiosks, shared workstations, and high-traffic clinical areas.
• Configure mobile device auto-lock, biometric unlock, and remote wipe via MDM.
• Apply idle timeouts to admin tools, databases, VPNs, and cloud consoles.
• Use short-lived API tokens with refresh limits; revoke on logout or device loss.

Evidence to retain

• Configuration baselines, MDM profiles, and application timeout settings.
• Validation screenshots, test results, and exception approvals where needed.

Deploy Encryption and Decryption Mechanisms

(Addressable) Implement mechanisms to encrypt and decrypt ePHI at rest. When you do not encrypt, document a rigorous risk analysis and equivalent safeguards—encryption is strongly recommended for modern environments.

Use strong cryptography and sound key management. Prefer FIPS 140-2/140-3 validated modules, centralized key custody, and role separation for key administrators.

Checklist

• Encrypt servers, databases, backups, and endpoints that store ePHI with strong algorithms (for example, AES-256).
• Protect keys in HSMs or cloud KMS; rotate and revoke keys on a defined schedule.
• Enforce full-disk encryption for laptops and portable media; disable removable storage unless authorized.
• Apply application-layer or field-level encryption for the most sensitive data elements.
• Document decryption procedures for incident response and eDiscovery with dual control.
• Record exceptions with compensating controls and review them at least annually.

Evidence to retain

• Encryption standards, key management procedures, and key rotation logs.
• Device encryption attestations, backup encryption reports, and exception analyses.

Utilize Audit Controls

(Required) Configure mechanisms to record and examine activity in systems that contain or use ePHI. Effective audit trail management supports investigations, privacy monitoring, and compliance reporting.

Centralize logs, synchronize time, and protect integrity so security incident monitoring can reliably detect anomalies such as inappropriate record snooping or mass exports.

Checklist

• Log who, what, when, where, and how for all ePHI creates, reads, updates, deletes, and exports.
• Capture admin activities, failed logins, privilege changes, and break-glass events.
• Normalize and forward logs to a SIEM; create alerts for suspicious access patterns.
• Synchronize system time (e.g., NTP) to preserve sequence fidelity across logs.
• Restrict, encrypt, and integrity-protect logs; prevent tampering and enforce retention per policy.
• Schedule periodic log reviews and document findings and remediations.

Evidence to retain

• Audit logging standards, SIEM alert catalog, and review reports.
• Risk-based log retention policy and proof of control testing.

Common pitfalls

• Inadequate coverage of read events or exports.
• Logs stored without integrity protection or time synchronization.

Ensure Data Integrity and Authentication

(Addressable) Integrity: protect ePHI from improper alteration or destruction and implement data integrity verification. Use cryptographic checks, application controls, and secure storage patterns to detect or prevent unauthorized changes.

(Required) Person or entity authentication: verify that a user or system requesting access is who they claim to be. Apply layered user authentication protocols to reduce credential misuse.

Data integrity controls

• Use checksums, hashes (e.g., HMAC), or digital signatures to verify ePHI integrity end-to-end.
• Enforce database constraints, versioning, and immutable logs for critical records.
• Implement tamper-evident storage or WORM for audit-critical datasets.
• Monitor for unexpected changes and reconcile against authoritative sources.

Authentication controls

• Require MFA for privileged, remote, and high-risk workflows.
• Standardize SSO using secure protocols (e.g., SAML or OIDC) to centralize access decisions.
• Adopt strong password practices, phishing-resistant factors where feasible, and device-based signals for step-up auth.
• Authenticate APIs and services using mutual TLS, signed tokens, and least-privilege scopes.

Evidence to retain

• Integrity verification procedures, change monitoring reports, and exception logs.
• Authentication policy, MFA coverage reports, and attestations from connected systems.

Apply Transmission Security Measures

(Addressable) Guard ePHI in transit over networks by implementing integrity controls and encryption. Use current transmission encryption standards to protect confidentiality and detect tampering.

Encrypt data over internal and external networks, including email, APIs, messaging, and remote access. Maintain certificate hygiene, modern cipher suites, and secure key exchange.

Checklist

• Use strong TLS for all web, app, and API traffic; disable outdated protocols and ciphers.
• Require secure email transport; use S/MIME, portals, or equivalent controls for external recipients.
• Protect remote connectivity with IPsec or modern VPNs; segment access to ePHI systems.
• Secure mobile and wireless channels with authenticated encryption and device management.
• Validate message integrity between systems (e.g., digital signatures, HMAC) to detect alteration.
• Manage certificates at scale: inventory, rotation, revocation, and alerting for expiry.

Operational tips

• Continuously test for weak ciphers, misconfigurations, and certificate issues.
• Document any non-encrypted transmissions with compensating controls and risk acceptance.

Conclusion

This HIPAA Security Rule Technical Safeguards List gives you a practical, control-by-control path to implement 164.312. Apply a risk-based approach, prefer strong encryption, verify identities, and operate robust logging and monitoring to keep ePHI confidential, intact, and available.

FAQs.

What are the key technical safeguards required by HIPAA?

HIPAA 164.312 requires audit controls and person or entity authentication, and specifies access control, integrity, and transmission security with required and addressable elements. Practically, you must implement unique user IDs, emergency access procedures, audit logging, user authentication, integrity protections, and risk-based encryption with strong operational monitoring.

How should unique user identification be implemented?

Assign every user a unique ID mapped to HR records, prohibit shared logins, and provision accounts via a centralized identity provider. Enforce MFA where risk warrants, disable default accounts, segregate service accounts, and ensure prompt deprovisioning on role changes or termination with full audit trail management.

What procedures ensure emergency access to ePHI?

Define break-glass roles with minimal necessary privileges, pre-stage alternative access paths, and document manual verification when standard systems are down. Trigger alerts on activation, limit duration, capture detailed logs, and conduct post-event reviews; test procedures through drills coordinated with business continuity and disaster recovery.

How does HIPAA require encryption for data transmission?

Transmission encryption is addressable under 164.312, meaning you must implement it or document an equivalent safeguard based on risk. In practice, organizations use modern TLS for all network traffic, secure email methods for external recipients, VPNs for remote access, and integrity checks to prevent tampering during transmission.