HIPAA Technical Safeguards: What Small Clinics Need

HIPAA’s technical safeguards standard sits at 45 CFR 164.312. It applies to any electronic protected health information — ePHI — that a covered entity or business associate creates, receives, maintains, or transmits.

The standard does not apply only to the EHR. If the clinic uses a task management tool, intake form software, document repository, or billing platform that touches ePHI, those systems also fall within scope.

The four standards

Access controls (164.312(a)(1))

Required: Unique user identification (§164.312(a)(2)(i)) — each user gets their own login credentials. No shared accounts on PHI-bearing systems.

Required: Emergency access procedures (§164.312(a)(2)(ii)) — a documented method for obtaining access to ePHI during an emergency when normal controls are unavailable.

Addressable: Automatic logoff (§164.312(a)(2)(iii)) — workstations should log users out after a period of inactivity. Virtually every clinic should implement this.

Addressable: Encryption and decryption (§164.312(a)(2)(iv)) — the ability to encrypt ePHI at rest and decrypt it when authorized users need access.

Audit controls (164.312(b))

Required. The covered entity must implement hardware, software, or procedural mechanisms that record and examine activity on systems containing ePHI. This is the foundation of a defensible audit trail. See HIPAA audit log requirements for small clinics for what that looks like in practice.

Integrity (164.312(c)(1))

Required: Implement policies and procedures to protect ePHI from improper alteration or destruction. This standard — the integrity requirement itself — is required.

Addressable: Mechanism to authenticate ePHI (§164.312(c)(2)) — electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. The specific electronic mechanism is addressable: clinics must implement it or document an equivalent alternative. In practice, this means checksums, cryptographic hashing, or file-integrity verification on any system storing ePHI.

Transmission security (164.312(e))

Required: Implement technical security measures to prevent unauthorized access to ePHI being transmitted over an electronic communications network (§164.312(e)(1)).

Addressable: Integrity controls — security measures to ensure that electronically transmitted ePHI is not improperly modified without detection (§164.312(e)(2)(i)).

Addressable: Encryption of ePHI in transit (§164.312(e)(2)(ii)). For most clinics transmitting ePHI over the public internet, TLS-encrypted connections are the standard approach.

Required versus addressable

Required specifications must be implemented. No alternative is permitted.

Addressable specifications must also be implemented unless the covered entity documents that: (a) the implementation specification is not reasonable and appropriate given the clinic’s environment, and (b) the clinic has implemented an equivalent alternative. The word “addressable” does not mean optional.

In practice, most small clinics should implement all of the addressable specifications above. The cost of TLS and automatic logoff is near zero. A risk analysis that concludes either is disproportionate to risk will be difficult to defend.

Where technical safeguards connect to everything else

Technical safeguards are one of three Security Rule pillars. Administrative safeguards (hipaa-administrative-safeguards) establish the organizational and training framework. Physical safeguards (hipaa-physical-safeguards) govern facility access and workstation use. Technical controls operate within the boundaries those other two pillars define.

A risk analysis under 45 CFR 164.308(a)(1) is what connects all three. Without it, a clinic cannot rationally determine which technical controls are proportionate to its actual threat environment.

PHIGuard documents technical safeguard decisions, tracks policy acknowledgements, and maintains an audit trail of PHI-related activity. Plans start at $99 per clinic, with a BAA included. See HIPAA compliance for more.