HIPAA Technical Safeguards List (164.312): Quick-Reference Checklist for Access, Audit, Integrity, Authentication & Transmission Security

Use this quick-reference checklist to operationalize the HIPAA Technical Safeguards in 45 CFR §164.312 across systems that create, receive, maintain, or transmit electronic protected health information (ePHI). Each section translates the rule into concrete actions and evidence you can show during an audit.

Where noted, some specifications are “required” and others are “addressable.” Addressable still means you must implement a reasonable and appropriate control or document a justified alternative through risk analysis.

Implement Access Control Policies

Access control (164.312(a)) requires you to allow only authorized users to view or handle ePHI and to prevent inappropriate use. Pair written policy with enforceable technical controls.

• Define and enforce least-privilege roles (RBAC/ABAC) in EHRs, databases, and apps handling ePHI.
• Unique user identifiers (required): prohibit shared accounts; map each ID to a person, role, and department.
• Emergency access procedures (required): configure “break-glass” access with tight scopes, just-in-time elevation, and immediate audit review.
• Provisioning and deprovisioning: automate joiner/mover/leaver workflows; remove stale and duplicate accounts promptly.
• Segregate high-risk functions (e.g., export, mass lookup) behind additional approval or step-up verification.
• Document periodic access reviews; resolve exceptions; log sign-offs from data owners.
• Keep evidence: role matrices, user inventories, access review reports, screenshots of control settings.

Apply Audit Control Mechanisms

Audit controls (164.312(b)) require hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Build comprehensive audit trail mechanisms and monitor them.

• Enable detailed logs across EHRs, apps, databases, operating systems, APIs, and network devices that touch ePHI.
• Standardize fields: user ID, event/action, patient or record ID, timestamp, source IP/device, success/failure.
• Synchronize time (NTP) on all components to preserve accurate event order and correlation.
• Centralize logs in a protected repository or SIEM with immutability/append-only controls.
• Alert on risky patterns: mass record access, after-hours spikes, failed logons, atypical data exports.
• Define review cadence, escalation paths, and incident documentation; test alert efficacy.
• Retain logs in line with policy and legal obligations; restrict direct log deletion by admins.
• Keep evidence: exception/alert tickets, audit review sign-offs, SIEM dashboards, retention policy artifacts.

Enforce Integrity Protection Measures

Integrity (164.312(c)(1)) ensures ePHI is not altered or destroyed in an unauthorized manner. Implement data integrity verification at application, database, and storage layers.

• Use checksums, hashes, or digital signatures to detect unauthorized changes to files and records.
• Apply database integrity controls: constraints, triggers for critical fields, versioning, and append-only logs.
• Implement file integrity monitoring on servers holding ePHI; alert on unauthorized edits or permission changes.
• Validate inputs and restrict bulk updates; require dual control for high-impact modifications.
• Protect backups with encryption and perform routine restore tests to confirm data integrity.
• Use write-once or immutable storage for critical logs and clinical documents where feasible.
• Keep evidence: hash manifests, restore test reports, change-control records, FIM alert summaries.

Verify Person or Entity Authentication

Person or entity authentication (164.312(d)) requires verifying that a person or system is who it claims to be before granting access to ePHI. Strengthen identity assurance across users, devices, and services.

• Adopt strong authentication protocols: SSO with SAML/OIDC, Kerberos for enterprise, RADIUS/TACACS+ for network, and key-based SSH for admins.
• Enforce MFA for remote, privileged, and clinical systems; prefer phishing-resistant methods (e.g., FIDO2/WebAuthn) or TOTP apps.
• Maintain robust password policy and secure recovery; prohibit shared secrets; monitor failed attempts and lockouts.
• Issue certificates or tokens for services, APIs, and devices; rotate and vault secrets.
• Tie every action to unique user identifiers; disable default and dormant accounts promptly.
• Keep evidence: IdP configuration exports, MFA coverage reports, device certificate inventories, failed-logon trend analyses.

Secure Transmission of ePHI

Transmission security (164.312(e)) protects ePHI in motion and maintains its integrity. Apply transmission encryption standards end to end and eliminate weak protocols.

• Use modern TLS for all web and API traffic (prefer TLS 1.3, minimum TLS 1.2) with strong cipher suites and HSTS.
• Encrypt file transfers with SFTP or FTPS; avoid FTP, Telnet, and unsecured HTTP.
• Secure email carrying ePHI via gateway or message-level encryption (e.g., S/MIME or portal-based delivery).
• Protect remote access with IPsec or SSL VPN; restrict split tunneling for administrative sessions.
• Implement integrity controls: authenticated encryption (AEAD), HMACs for messages, and checksum validation for batch interfaces.
• Harden wireless and internal segments; prefer enterprise-grade Wi‑Fi security for clinical areas.
• Keep evidence: redacted TLS scan results, VPN configurations, secure email policies, blocked-legacy-protocol reports.

Utilize Encryption and Decryption Methods

Encryption/decryption (164.312(a)(2)(iv)) is an addressable specification commonly implemented to render ePHI unreadable to unauthorized parties. Manage keys as carefully as the data they protect.

• Encrypt data at rest: full-disk encryption on laptops and mobile devices, database or file-level encryption on servers, and application field encryption for highly sensitive elements.
• Use validated cryptographic modules (e.g., FIPS 140-2/3) and strong algorithms such as AES-256 where appropriate.
• Centralize key management: HSM or cloud KMS, role-based access to keys, rotation, escrow, and auditable lifecycle tracking.
• Encrypt backups and archives; verify restores and key availability during disaster scenarios.
• Apply MDM to enforce device encryption, secure boot, and remote wipe for BYOD and corporate devices.
• Keep evidence: encryption status dashboards, key inventories, rotation logs, restore validation records.

Establish Automatic Logoff Procedures

Automatic logoff (164.312(a)(2)(iii)) reduces exposure from unattended sessions. Configure timeouts proportionate to risk and location.

• Set application and workstation inactivity timers; require re-authentication to resume access to ePHI.
• Shorten timers for public or shared workstations and kiosk-mode devices used in intake or exam areas.
• Apply mobile screen locks with biometric/PIN and remote-lock capabilities.
• Re-prompt for credentials before high-risk actions (e.g., changing access rights, exporting data).
• Document exceptions with compensating controls; review timer settings during security audits.
• Keep evidence: group policy or MDM profiles, application timeout settings, and validation screenshots.

In summary, align your HIPAA Technical Safeguards program with §164.312 by enforcing strong access controls, comprehensive audit trails, integrity checks, robust authentication, secure transmission, pervasive encryption, and reliable automatic logoff. Treat addressable items as implement-or-justify, and keep clear evidence for each safeguard.

FAQs

What are the key technical safeguards required by HIPAA?

HIPAA’s §164.312 covers five areas: access control, audit controls, integrity, person or entity authentication, and transmission security. Within these, some specifications are required (e.g., unique user identifiers and emergency access procedures) and others are addressable (e.g., Automatic logoff, encryption/decryption), which still require a risk-based implementation or documented alternative.

How does access control protect ePHI?

Access control limits ePHI to authorized users and uses unique user identifiers, least-privilege roles, and emergency access procedures to prevent inappropriate viewing or use. Automated provisioning, periodic access reviews, and session controls ensure that only the right people, at the right time, for the right purpose, can reach the data.

What mechanisms ensure the integrity of electronic health data?

Data integrity verification relies on checksums or digital signatures, database constraints, application validation, and file integrity monitoring to detect unauthorized changes. Regular backup-restores, versioning, and immutable storage add layered protection so you can prove records were not altered or can be restored accurately if corruption occurs.

How is transmission security maintained under HIPAA?

Transmission security is maintained by applying transmission encryption standards such as modern TLS for web and APIs, SFTP/FTPS for file transfers, and encrypted email or portals for messaging. Integrity controls like authenticated encryption and HMACs, coupled with VPNs for remote access and the removal of legacy protocols, protect ePHI in motion from interception or tampering.