What Are the HIPAA Security Rule Technical Safeguards? Full List and Requirements

The HIPAA Security Rule Technical Safeguards define the controls you must implement to protect the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI). They apply to covered entities and business associates, spanning clinical apps, cloud platforms, networks, and endpoints.

Below is the full list of Technical Safeguards and what each requires in practice. For each area, you’ll find clear actions that help you meet the HIPAA Security Rule Technical Safeguards while fitting your environment.

Access Control Standards

Access control focuses on ensuring only authorized individuals can view or use ePHI. You must implement logical controls that limit access based on role and need-to-know, and that verify a user’s identity before granting permissions.

Unique User Identification (Required)

Issue a distinct account to every workforce member—no shared logins. Map each ID to a person, role, and supervisor, and enforce least privilege. Tie Unique User Identification to provisioning, termination, and periodic access reviews.

Emergency Access Procedure (Required)

Define “break-glass” procedures that allow emergency access to ePHI when normal authentication fails. Require documented justification, immediate alerts, and post-event review. Limit emergency accounts, time-box access, and log every action.

Automatic Logoff (Addressable)

Configure session timeouts that reflect clinical workflow risks (for example, shorter on shared workstations, longer for secure single-user devices). Use screen locks, re-authentication prompts, and remote wipe on mobile to reduce unattended exposure.

Encryption and Decryption (Addressable)

Protect stored ePHI with strong encryption (for example, full-disk and database encryption). Manage keys centrally and restrict decryption to authorized processes. Although addressable, Encryption and Decryption are now expected in nearly all settings.

Audit Controls Requirements

Audit controls require Activity Audit Mechanisms that record and examine system activity related to ePHI. Your objective is to generate actionable telemetry and routinely review it.

What to Log

• User logins and failures, privilege changes, and account lifecycle events.
• Access to ePHI: create, read, update, delete, print, export, and query parameters.
• System changes: configuration edits, patching, and security policy updates.
• Network and API events affecting ePHI flows, including service-to-service calls.

How to Review

Normalize logs, time-sync systems, and set thresholds for alerts (for example, after-hours mass exports). Perform routine reviews, investigate anomalies, and maintain evidence of findings and remediation. Retain logs per policy, often aligned with documentation retention requirements.

Integrity Protection Measures

Integrity controls ensure ePHI is not altered or destroyed in an unauthorized way. The implementation specification “mechanism to authenticate ePHI” is addressable but vital.

Data Integrity Controls

• Use hashing, checksums, and digital signatures to detect tampering.
• Enable application-level validation, record versioning, and change tracking.
• Employ write-once or immutability options for critical records and backups.

Tamper-Evident Operations

Protect logs and backups with integrity verification and access separation. Combine file integrity monitoring with alerting to catch unauthorized changes early. Coordinate with Transmission Integrity Controls to prevent in-transit corruption.

Person or Entity Authentication Processes

Authentication verifies that the person or system requesting access is who they claim to be. Effective Identity Verification Procedures underpin trustworthy authentication.

Identity Verification Procedures

At onboarding, verify government-issued ID or authoritative HR/licensure records and bind identities to Unique User Identification. Re-verify upon role changes or long inactivity, and revoke promptly at termination.

Authentication Methods

• Multi-factor authentication for remote, privileged, and high-risk access.
• Strong secrets management: minimum length, complexity, rotation on compromise.
• Certificate- or device-based trust for services and APIs, with key protection.
• Session controls: step-up authentication for sensitive actions and re-auth on timeout.

Transmission Security Practices

Transmission security protects ePHI when it moves across networks. The specifications cover encryption in transit and Transmission Integrity Controls.

Encryption in Transit (Addressable)

• Use TLS for web, email gateways, and APIs; use IPsec or secure tunnels for site-to-site traffic.
• Disable weak ciphers and protocols, and prefer forward secrecy.
• Secure email with gateways, patient portals, or S/MIME where appropriate.

Transmission Integrity Controls (Addressable)

Prevent undetected alteration with message authentication codes, digital signatures, and sequence validation. Validate payload integrity end-to-end, not just transport-layer security.

Implementation Specification Assessment

Each safeguard has an implementation specification that is Required or Addressable. “Addressable” never means optional; you must implement it as stated or use a reasonable and appropriate alternative based on risk.

How to Assess

• Perform a risk analysis for your environment, data flows, and threats.
• Decide for each specification: implement as-is or implement an equivalent control.
• Document rationale, design, testing, and residual risk for every decision.
• Reassess after technology or workflow changes and after security incidents.

Compliance Documentation Procedures

Policies and procedures must describe how you meet Technical Safeguards and how you keep them effective. Evidence shows the controls are implemented and monitored.

What to Document

• Access control policy, role matrices, Unique User Identification, and Automatic Logoff settings.
• Encryption and Decryption standards, key management, and exception handling.
• Audit logging configuration, review cadence, findings, and corrective actions.
• Integrity controls, backup verification, and restoration testing.
• Identity Verification Procedures, authentication configurations, and MFA coverage.
• Transmission Security architectures, including Transmission Integrity Controls.
• Risk analyses, implementation decisions for addressable specs, and training records.

Retention and Maintenance

Maintain documentation and related evidence for at least six years from creation or last effective date. Review policies annually and after major changes, track versions, and ensure workforce acknowledgement.

Conclusion

The HIPAA Security Rule Technical Safeguards require disciplined access control, robust auditing, strong integrity protections, reliable authentication, and secure transmission. Assess each implementation specification against your risks, document rigorously, and monitor continuously to keep ePHI protected.

FAQs

What are the required Technical Safeguards under HIPAA Security Rule?

The required items are Unique User Identification and Emergency Access Procedure under Access Control, plus the overarching standards for Audit Controls, Integrity, Authentication, and Transmission Security. Several implementation specifications within these areas are addressable but widely expected in practice.

How do Addressable Safeguards differ from Required ones?

Required safeguards must be implemented as written. Addressable safeguards must also be implemented unless, after a documented risk analysis, you adopt a reasonable and appropriate alternative that achieves the same purpose; you must record the decision and rationale.

What procedures ensure Identity Verification under HIPAA?

Use authoritative sources to prove identity at onboarding (for example, government ID or HR/licensure records), bind identities to Unique User Identification, and re-verify at role change or reactivation. Combine this with strong authentication such as MFA and session re-authentication.

How should covered entities document compliance with Technical Safeguards?

Create and maintain policies, procedures, configurations, and monitoring evidence for each safeguard. Include risk analyses, implementation decisions for addressable specs, audit findings with remediation, training attestations, and version-controlled records retained for at least six years.