How Many Technical Safeguards Are Required by HIPAA? 5 Standards Explained

HIPAA’s Security Rule sets out five technical safeguard standards that every covered entity must address to protect electronic protected health information (ePHI) across information systems. These standards live in 45 CFR 164.312 and are supported by implementation specifications that are either required or addressable.

Addressable does not mean optional. You must evaluate each addressable specification, implement it if reasonable and appropriate, or adopt an equivalent alternative and document your rationale. Below, you’ll find each of the five standards explained in practical terms, with a focus on what they mean for your day-to-day operations.

Access Control

The Access Control standard requires you to restrict system access to authorized users and processes that need ePHI to do their jobs. The goal is to enforce least privilege across information systems so that only the right people, devices, and applications can view or handle ePHI.

• Unique user identification (Required): Assign a unique ID to every user. Prohibit shared accounts so audit trails reliably tie actions back to individuals.
• Emergency access procedure (Required): Establish “break‑glass” processes to obtain necessary ePHI during emergencies, with logging and post‑event review.
• Automatic logoff (Addressable): Configure session timeouts on EHRs, portals, and administrative consoles to reduce risk from unattended sessions.
• Encryption and decryption (Addressable): Implement mechanisms to encrypt stored ePHI and enable decryption for authorized use. Manage keys securely and restrict decryption rights.

Strong Access Control typically combines role‑based access, just‑in‑time elevation, and centralized provisioning. Map roles to job functions, review access regularly, and disable accounts promptly when workforce status changes.

Audit Controls

Audit Controls require mechanisms to record and examine activity in systems that create, receive, maintain, or transmit ePHI. You decide what to log based on risk, but your logs must meaningfully support detection and investigation of inappropriate access or use.

• Log coverage: Capture access to records, queries, exports, administrative changes, authentication events, API calls, and data transmissions touching ePHI.
• Log integrity and retention: Protect logs from alteration and store them for a defined period consistent with your risk analysis and legal requirements.
• Review and response: Establish procedures to review audit trails, generate alerts for anomalies, and document investigations and corrective actions.

Effective audit programs correlate data from applications, databases, endpoints, and network devices. They also define who reviews which reports, how often, and what thresholds trigger escalation.

Integrity Controls

The Integrity standard requires safeguards to prevent improper alteration or destruction of ePHI. HIPAA also includes an addressable implementation specification to “authenticate” ePHI—verifying that data has not been tampered with.

• Mechanisms to authenticate ePHI (Addressable): Use hashing, checksums, digital signatures, or write‑once storage to detect unauthorized changes.
• Data lifecycle protections: Apply integrity checks during creation, storage, transmission, and restoration from backups. Validate imports and interface feeds.
• Change governance: Enforce version control, peer reviews, and automated validation where data transformations or mappings occur.

Document how you ensure data integrity for each information system handling ePHI, including thresholds for alerting and steps for remediation when discrepancies arise.

Person or Entity Authentication

This standard requires you to verify that a person or entity seeking access is who they claim to be. HIPAA does not prescribe specific mechanisms, so your choices should follow risk analysis and usability considerations.

• Identity proofing and unique credentials: Establish onboarding steps that bind identities to unique accounts for workforce members and service accounts.
• Multi‑factor authentication (MFA): Strongly recommended for remote access, privileged accounts, and administrative consoles. Use phishing‑resistant factors where feasible.
• Device and service authentication: Employ certificates, keys, or mutual TLS for systems and APIs that exchange ePHI.
• Lifecycle management: Rotate credentials, revoke promptly upon role changes, and monitor for shared or weak secrets.

Because there are no explicit implementation specifications here, thorough documentation of your chosen controls—and why they are appropriate for your risks—is essential for compliance.

Transmission Security

Transmission Security requires technical measures to guard against unauthorized access to ePHI transmitted over electronic communications networks. It contains two addressable implementation specifications you must evaluate and implement as appropriate.

• Integrity controls (Addressable): Detect or guard against unauthorized alteration during transmission using message authentication (for example, MACs) and protocol safeguards.
• Encryption (Addressable): Encrypt ePHI in transit over public or untrusted networks. Use modern protocols (such as current TLS) for web, APIs, email gateways, VPNs, and remote administration.

Apply encryption to patient portals, telehealth sessions, offsite backups, and system‑to‑system interfaces. For email and messaging, use gateway‑level encryption or secure portals instead of sending ePHI unprotected. Validate cipher configuration and certificate management on a regular schedule.

In summary, HIPAA requires five technical safeguard standards—Access Control, Audit Controls, Integrity Controls, Person or Entity Authentication, and Transmission Security. Covered entities must assess each standard’s implementation specifications, decide what is reasonable and appropriate, and document controls that protect electronic protected health information across all applicable information systems.

FAQs

What are the five technical safeguard standards under HIPAA?

The five standards are Access Control, Audit Controls, Integrity Controls, Person or Entity Authentication, and Transmission Security. Together they set the baseline for protecting electronic protected health information in your information systems.

How do addressable implementation specifications work?

Addressable specifications must be evaluated through risk analysis. If a control is reasonable and appropriate, implement it. If not, document why it is not, implement an equivalent alternative that achieves the same purpose, and keep that documentation current. Although people sometimes say “addressable standards,” HIPAA technically makes individual implementation specifications addressable, not the standards themselves.

Are all technical safeguards mandatory?

The five standards are mandatory for covered entities. Within them, some implementation specifications are required and others are addressable. Addressable does not mean optional—you must assess, implement when appropriate, or adopt a documented alternative that meets the security need.

What is transmission security in HIPAA?

Transmission Security (45 CFR 164.312(e)(1)) requires measures to protect ePHI as it moves over networks. You must evaluate and implement, as appropriate, two addressable specifications: integrity controls to prevent unauthorized alteration and encryption to prevent unauthorized access during transmission.