What Are HIPAA Technical Safeguards? Explanation and Examples
The documentation and exchange of patient information are important aspects of delivering quality care. Patients entrust providers and facilities to not only track their medical histories, but also keep their personal data secure. With technology continuing to advance within the healthcare industry, HIPAA technical safeguards are necessary for combatting both old and new security challenges.
But, what exactly are technical safeguards and how do healthcare facilities employ them? We’ll walk through everything you need to know about these HIPAA procedures and how they help protect electronically stored patient health data.
HIPAA Safeguards: Overview
The security rule under the Health Insurance Portability and Accountability Act (HIPAA) outlines a set of federal regulations that protect the confidentiality and privacy of patient health information. To adhere to these regulations, facilities are expected to implement three main types of security procedures:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
In this guide, we’ll dive into the details of technical safeguards. However, you can visit the HHS resource center for an overview of these categories.
What Are HIPAA Technical Safeguards?
HIPAA defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information (ePHI) and control access to it.” This essentially refers to all of the recommended strategies that facilities can use to protect the confidentiality, integrity, and accessibility of electronically stored patient data.
HIPAA doesn’t require the adoption of specific types of technologies. However, facilities are expected to implement relevant safeguards to meet basic security standards and avoid preventable violations. HIPAA outlines five essential types of technical safeguards:
- Access Controls
- Audit Controls
- Integrity Controls
- Person or Entity Authentication
- Transmission Security
HIPAA Technical Safeguards: Examples
Below we’ll provide a more detailed overview of the different types of technical safeguards and examples of how facilities can take measures to employ them.
1. Access Controls
Access controls are policies and procedures that grant authorized staff the ability to access systems containing protected health information (PHI), such as electronic health records (EHR). Access should be limited so that staff can retrieve just the minimum amount of PHI needed to perform their job duties. At baseline, facilities should have procedures that enable employee identification, emergency PHI retrieval, log-off automation, and PHI encryption.
Example Procedures
- Require staff to swipe ID cards or input unique usernames to access computers.
- Revoke computer access once staff leave the facility or no longer require PHI.
- Back-up all data systems for situations where PHI access may be compromised.
2. Audit Controls
Audit controls refer to any automatic or manual procedures used to review, analyze, and track how PHI is recorded in electronic information systems. HIPAA doesn’t mandate specific types of information that should be collected from audits, so facilities should decide what data is most useful to review for their security needs.
Example Procedures
- Track all log-ins and log-offs, in addition to unsuccessful access attempts.
- Monitor all general activity by users who are inputting and reading PHI.
- Create a log of each time new PHI is created, edited, or deleted.
3. Integrity Controls
Integrity controls refer to procedures that prevent unauthorized alteration or destruction of PHI. With staff regularly going in and out of patient charts to record information, it’s common for PHI to be changed unintentionally through human or technological errors. However, integrity controls work to prevent inappropriate data altering, regardless of the cause.
Example Procedures
- Automate a pop-up confirmation before PHI can be deleted.
- Require electronic signatures from staff who are editing PHI.
- Implement checksum verification procedures during audits.
4. Person or Entity Authentication
Person or entity authentication refers to procedures used to verify the identity of individuals who are trying to access PHI. These safeguards are used to ensure that an individual requesting access is actually the person that they’re claiming to be. Requiring proof of identity helps reinforce the protections from other access controls that require authorization.
Example Procedures
- Require individualized passwords or PINs each time staff log-in to systems.
- Provide physical tokens, such as cards or keys, that must be used to access PHI.
- Scan biometrics, such as fingerprints or facial patterns, each time staff enter the unit.
5. Transmission Security
The final technical safeguard outlined by HIPAA is transmission security. Patient health information is often transferred electronically between different health centers throughout the care process. These safeguards ensure that the information can’t be intercepted or accessed during these exchanges.
Example Procedures
- Obtain consent from patients if exchange of PHI is necessary for care.
- Use secure servers to transfer PHI and minimize direct email exchanges.
- Encrypt all attachments or documents containing PHI prior to an exchange.
Is Your Facility HIPAA Compliant?
Employing HIPAA technical safeguards is one of many strategies that facilities can use to protect the security and privacy of their patients. Stay connected with IntelyCare so you don’t miss out on the latest compliance tips and insights, and other free resources for your facility.