HIPAA Security Rule: Technical Safeguards Checklist for 2026
The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards that protect electronic protected health information (ePHI). If you are new to HIPAA, start with our complete HIPAA compliance guide for an overview of all requirements. Unlike administrative and physical safeguards, technical safeguards deal directly with technology. They cover systems, encryption methods, and access controls that keep patient data secure.
Whether you run a small practice, a growing startup, or a mid-size healthcare company, this checklist is for you. It covers every technical safeguard rule. It is clear and to the point. It explains what each one means in practice and provides setup guidance for 2026.
What Are HIPAA Technical Safeguards?
Technical safeguards are the technology and policies that protect ePHI and control access to it. They are one of three safeguard categories in the HIPAA Security Rule. See 45 CFR Part 164, Subpart C for the full text. The three categories are:
- Administrative safeguards (§164.308): Policies, procedures, and workforce management
- Physical safeguards (§164.310): Physical access to facilities and equipment
- Technical safeguards (§164.312): Technology-based protections for ePHI
Each technical safeguard is classified as either "required" or "addressable." Required standards must be implemented. Addressable standards must be assessed. If the safeguard is reasonable and appropriate, implement it. If not, document why and implement an equivalent alternative.
The Four Technical Safeguard Standards
The HIPAA Security Rule defines four technical safeguard standards, each containing specific setup parts.
Standard 1: Access Control (§164.312(a)(1)) — Required
Access control limits ePHI access to authorized users and systems. This standard has four parts. Each one matters. Here is a closer look at each one.
Unique User Identification (Required)
Every person who accesses ePHI must have a unique ID. This can be a username, employee number, or similar credential. It ensures all activity traces back to one person. This is key for audits. It also helps with breach cases.
Here is the setup checklist.
- Assign unique usernames to every workforce member who accesses ePHI systems
- Prohibit shared accounts for any system containing ePHI
- Maintain a current user directory that maps identifiers to individuals
- Disable identifiers immediately upon workforce member termination or role change
- Implement naming conventions that do not reveal the user's role or access level
Emergency Access Procedure (Required)
Organizations must establish procedures for obtaining ePHI during emergencies. When normal authentication systems fail, there must be a documented "break glass" process.
Here is the setup checklist.
- Document emergency access procedures for each critical ePHI system
- Define what constitutes an emergency (natural disaster, system outage, patient safety situation)
- Create emergency access accounts with appropriate logging
- Store emergency credentials securely (sealed envelopes in a safe, hardware security module)
- Test emergency access procedures at least annually
- Log and review all emergency access events within 24 hours
Automatic Logoff (Addressable)
Set up auto-logoff after a period of inactivity. This blocks access when users walk away from their screens. Set it and forget it. It runs on its own.
Here is the setup checklist.
- Set session timeout to 15 minutes or less for workstations and applications with ePHI access
- Configure screen locks that require re-authentication on all workstations
- Implement shorter timeouts (5 minutes) for devices in public or shared areas
- Ensure timeout settings apply to both local applications and web-based EHR sessions
- Document any exceptions (such as operating room displays) with backup controls
Encryption and Decryption (Addressable)
Set up encryption for ePHI data. While addressable, encryption is the single best control for protecting patient data.
Here is the setup checklist.
- Encrypt ePHI at rest using AES-256 or equivalent
- Encrypt all databases, file servers, and backup media containing ePHI
- Enable full-disk encryption on all laptops, mobile devices, and portable media
- Manage encryption keys through a formal key management process
- Document encryption standards and approved algorithms
- If encryption is not implemented for specific systems, document the risk assessment and alternative safeguards
Standard 2: Audit Controls (§164.312(b)) — Required
Organizations must implement hardware, software, and processes. Small businesses and startups often find this the most overlooked requirement because they assume basic cloud logging is enough to record and examine activity in systems that contain or use ePHI.
Here is the setup checklist.
- Enable audit logging on all systems that create, store, process, or transmit ePHI
- Log these events at minimum: login attempts (success and failure), ePHI access, ePHI modifications, permission changes, system setup changes
- Include these fields in every log entry: timestamp, user identity, event type, affected resource, source IP/device
- Retain audit logs for a minimum of 6 years (HIPAA retention requirement)
- Protect log integrity (write-once storage, log forwarding to a centralized SIEM)
- Review audit logs regularly: daily automated alerts for anomalies, weekly manual reviews of high-risk access
- Conduct quarterly audit log reviews documented with findings and corrective actions
Standard 3: Integrity Controls (§164.312(c)(1)) — Required
You must protect ePHI from being changed or deleted. Keep it safe and intact. No one should change it without a log.
Mechanism to Authenticate Electronic PHI (Addressable)
Use tools to verify that ePHI has not been changed or deleted without approval.
Here is the setup checklist.
- Implement checksums or hash validation for ePHI at rest and in transit
- Use digital signatures for critical documents (lab results, prescriptions, discharge summaries)
- Configure database integrity checking (row-level checksums, transaction logs)
- Implement version control for ePHI records with complete change tracking
- Validate backup integrity through regular restoration tests
- Monitor for unapproved database modifications through integrity monitoring tools
Standard 4: Transmission Security (§164.312(e)(1)) — Required
You must protect ePHI during transfer over any network. Data in motion is data at risk. Lock it down.
Integrity Controls for Transmission (Addressable)
Use controls to detect if ePHI is changed in transit. Think of it as a seal on a box. If the seal breaks, you know.
Here is the setup checklist.
- Use TLS 1.2 or higher for all ePHI transmissions (TLS 1.0 and 1.1 are deprecated)
- Implement message integrity checking (HMAC, digital signatures) for ePHI exchanges
- Validate data integrity on receipt through checksums or hash comparison
- Configure email systems to use TLS for ePHI transmissions (or use a secure messaging platform)
- Document any transmissions that cannot use integrity controls with compensating measures
Encryption for Transmission (Addressable)
Encrypt all ePHI sent over any network. No exceptions. This one is clear cut.
Here is the setup checklist.
- Enforce TLS 1.2+ for all web-based ePHI access (HTTPS everywhere)
- Use VPN or equivalent encrypted tunnels for site-to-site ePHI transmissions
- Encrypt all ePHI email transmissions (TLS mandatory, consider S/MIME or PGP for sensitive messagings)
- Secure wireless networks with WPA3 Enterprise or WPA2 Enterprise with AES
- Encrypt all ePHI API messagings (REST APIs must use HTTPS with valid certificates)
- Disable unencrypted protocols (FTP, HTTP, Telnet) on systems that handle ePHI
- Implement certificate management to prevent expired or invalid certificates
Person or Entity Authentication (§164.312(d)) — Required
This rule says you must verify who is trying to access ePHI. No one gets in without proof. This is the law.
Here is the setup checklist.
- Implement multi-factor authentication (MFA) for all remote ePHI access
- Require strong passwords: minimum 12 characters, complexity requirements aligned with NIST 800-63B guidelines
- Implement MFA for all privileged/admin access to ePHI systems
- Use certificate-based authentication for system-to-system ePHI exchanges
- Implement identity proofing procedures for new user account creation
- Conduct periodic access reviews (quarterly for privileged users, annually for standard users)
Technical Safeguards Implementation Priorities
Not all technical safeguards carry equal risk. Whether you are a startup building your first HIPAA program or a small practice upgrading legacy systems, prioritize based on risk. Prioritize setup based on the risk each gap creates:
Priority 1: Immediate (Complete Within 30 Days)
- Unique user ID check (eliminate all shared accounts)
- Encryption in transit (TLS 1.2+ everywhere)
- Multi-factor authentication for remote access
- Automatic logoff on all workstations
Priority 2: High (Complete Within 90 Days)
- Full-disk encryption on all endpoints
- Centralized audit logging with daily anomaly alerts
- Encryption at rest for all ePHI databases
- Emergency access procedures documented and tested
Priority 3: Standard (Complete Within 180 Days)
- Integrity monitoring for ePHI systems
- Comprehensive log review procedures
- Certificate management program
- Wireless network security upgrades
Tools for HIPAA Technical Safeguard Compliance
Several categories of tools help healthcare companies implement and maintain technical safeguards:
Identity and Access Management (IAM): Okta, Azure AD, Ping Identity. Handle unique user ID check, MFA, and automatic logoff.
Encryption: BitLocker (Windows), FileVault (Mac), VeraCrypt (cross-platform) for endpoint encryption. AWS KMS or Azure Key Vault for cloud key management.
SIEM and Audit Logging: Splunk, Microsoft Sentinel, Elastic Security. Centralize audit logs and provide automated anomaly detection.
Vulnerability Management: Tenable Nessus, Qualys, Rapid7 InsightVM. Identify unpatched systems and missetups that create compliance gaps.
Compliance Automation: Vanta, Drata, Secureframe. Map HIPAA requirements to actual controls, automate evidence collection, and track compliance status.
Common Questions About Technical Safeguards
Q: Do small businesses need all these safeguards? A: Yes. Small firms must follow all of these rules too. However, the setup can be scaled. A solo practitioner needs the same categories of controls as a hospital, but the specific tools and investment will be proportionally smaller.
Q: Can cloud services handle technical safeguards for us? A: Partially. Cloud providers like AWS, Azure, and Google Cloud offer HIPAA-eligible services and will sign BAAs. They handle infrastructure security, but you are responsible for configuring access controls, encryption settings, and audit logging correctly.
Q: What is the most cost-effective way for a startup to meet these requirements? A: Start with a compliance automation platform like Vanta or Drata that maps HIPAA controls to your actual infrastructure. These tools cost $10,000-$25,000 per year but save significantly on consultant fees and manual records.
Common Technical Safeguard Failures
These are the technical safeguard gaps that OCR investigators find most frequently:
- Shared login accounts on clinical workstations. According to HHS breach data, over 60% of investigated entities had shared credentials on at least one system. This violates unique user ID check and makes audit trails meaningless. It is the single most common technical violation.
- Unencrypted laptops and USB drives. Lost or stolen unencrypted devices account for a large percentage of reported breaches. Full-disk encryption eliminates this risk category entirely.
- No audit log review process. Organizations enable logging but never review the logs. Without review, logging provides forensic value but no detective control.
- Outdated encryption protocols. TLS 1.0, SSL 3.0, and weak cipher suites remain common in healthcare environments, particularly on legacy medical devices and older EHR systems.
- Missing MFA on remote access. VPN and remote desktop connections without MFA are a primary attack vector for ransomware groups targeting healthcare.
HIPAA Technical Safeguards Self-Assessment Template
Use this checklist to assess your current compliance status:
| Safeguard | Specification | Type | Status | |-----------|--------------|------|--------| | Access Control | Unique User Identification | Required | ☐ | | Access Control | Emergency Access Procedure | Required | ☐ | | Access Control | Automatic Logoff | Addressable | ☐ | | Access Control | Encryption/Decryption | Addressable | ☐ | | Audit Controls | Audit logging and examination | Required | ☐ | | Integrity | Mechanism to authenticate ePHI | Addressable | ☐ | | Transmission Security | Integrity controls | Addressable | ☐ | | Transmission Security | Encryption | Addressable | ☐ | | Authentication | Person/entity authentication | Required | ☐ |
For each item, document: current setup status, gaps identified, remediation plan, responsible party, and target completion date.
Frequently Asked Questions
Q: What is the difference between required and addressable HIPAA safeguards?
A: Required safeguards must be implemented with no exceptions. Addressable safeguards must be assessed based on your company's risk analysis. If the safeguard is reasonable and appropriate, you must implement it. If not, you must document why and implement an equivalent alternative measure. You cannot simply skip addressable safeguards.
Q: Does HIPAA require encryption?
A: Encryption is classified as "addressable" under both the access control and transmission security standards. However, given the current threat landscape and the breach notification safe harbor that encryption provides, it is extremely difficult to justify not encrypting ePHI. Most compliance experts treat encryption as effectively required.
Q: How long must HIPAA audit logs be retained?
A: HIPAA requires a 6-year retention period. Documentation must be kept from the date of creation or the date when it was last in effect, whichever is later. This applies to audit logs, policies, procedures, and other compliance records.
Q: What encryption standard does HIPAA require?
A: HIPAA does not specify a particular encryption standard. However, HHS guidance references NIST Special Publication 800-111 for data at rest and NIST Special Publication 800-52 for data in transit. In practice, AES-128 or AES-256 for data at rest and TLS 1.2+ for data in transit are considered the minimum acceptable standards.
Q: Is multi-factor authentication required by HIPAA?
A: HIPAA does not explicitly require MFA. The person or entity authentication standard (§164.312(d)) requires verification of identity but does not mandate a specific method. However, HHS guidance strongly recommends MFA. Most cyber insurance policies require it. For remote access, MFA is effectively necessary to meet the "reasonable and appropriate" standard.
Q: How often should HIPAA risk assessments be conducted?
A: HIPAA requires risk assessments to be conducted "regularly" but does not specify a frequency. The HHS Office for Civil Rights recommends at least one full risk assessment per year. Update it when big changes occur. Examples include new systems, security incidents, or regulatory changes.
