HIPAA for Healthcare IT Staff: Security Obligations

You are responsible for the infrastructure that makes PHI security possible. Unlike administrative staff whose HIPAA obligations are largely about access and disclosure, you configure systems, manage networks, provision access, and maintain the audit logs that the entire compliance program depends on. Whether you are an in-house IT staff member, a contracted managed services provider, or a freelance consultant, the Security Rule obligations are the same.

Scenario: A 5-provider family medicine clinic’s IT contractor remotely accesses the EHR server to perform routine maintenance. No BAA is in place because the clinic’s practice manager assumed “they’re just doing IT work.” Under 45 CFR § 164.308(b)(1), the contractor creates, receives, or maintains PHI on the clinic’s behalf by accessing a system containing ePHI — even for maintenance. The contractor is a business associate. Every remote maintenance session that occurred before the BAA was signed is a potential unauthorized disclosure. The BAA should have been signed before the first connection.

Access Controls: 45 CFR § 164.312(a)

The technical safeguard standard for access controls requires your clinic to implement technical policies and procedures allowing only authorized persons to access ePHI. The standard contains four implementation specifications.

Unique User Identification (Required)

Under 45 CFR § 164.312(a)(2)(i), every individual who accesses ePHI must have a unique user ID — no exceptions. Shared logins, group accounts, or role-based credentials shared by multiple users fail this requirement because they make it impossible to attribute system activity to a specific person.

In practice: every clinic employee who accesses the EHR gets their own login credentials; temporary staff and locum providers get temporary unique credentials, not a shared “temp” login; and when an employee departs, their credentials are deactivated — not reassigned to the next hire.

What not to do: Do not create a “front desk” login shared by three receptionists because it is easier to manage one account. When a breach or unauthorized access event occurs, shared credentials prevent your clinic from determining which individual was responsible, which compounds the compliance failure.

Emergency Access Procedure (Required)

Under § 164.312(a)(2)(ii), your clinic must establish procedures for obtaining necessary ePHI during an emergency — a system outage, lost credentials, or key personnel unavailable. Document the emergency access procedure, specify who can authorize emergency access, what systems it applies to, and how the access is logged. Test it annually.

Automatic Logoff (Addressable)

Under § 164.312(a)(2)(iii), workstations accessing ePHI should automatically terminate sessions after a defined period of inactivity. “Addressable” means implement it or document an equivalent alternative — not ignore it.

Standard configuration for small clinics: 15-minute timeout for clinical workstations; 5-minute timeout for workstations in areas accessible to patients or visitors.

Encryption and Decryption (Addressable)

Under § 164.312(a)(2)(iv), encryption mechanisms for ePHI at rest should be implemented or a documented alternative should exist. Given that a lost or stolen unencrypted device is a presumptive breach under 45 CFR § 164.402, encryption at rest is the practical standard for every device containing ePHI. Choosing not to encrypt requires a documented risk analysis justification — not just an assumption that it is not required.

Audit Controls: 45 CFR § 164.312(b)

The audit control standard requires your clinic to implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing or using ePHI. The entire standard is required — there is no addressable vs. required breakdown.

Logging must be enabled. Every system that stores or processes ePHI must have audit logging enabled — the EHR, billing platform, email server (if used for clinical communications), network devices, and any cloud storage used for clinical records.

Logs must be retained. Retain audit logs consistent with your clinic’s risk analysis. NIST SP 800-66r2 recommends a minimum of one year online and three years archived for healthcare environments.

Logs must be reviewed. Enabling logging is not sufficient. Your clinic must have a procedure for reviewing logs — through automated alerting, periodic manual review, or both. Unreviewed logs provide no compliance protection because the purpose of audit controls is to detect unauthorized activity, not just record it.

Log integrity must be maintained. Configure logging systems so that administrative access to modify or delete logs is restricted and itself logged. Audit logs that can be silently altered by administrators do not meet the standard.

Transmission Security: 45 CFR § 164.312(e)

The transmission security standard requires technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks.

Encryption of Transmission (Addressable)

Under § 164.312(e)(2)(ii), your clinic should implement a mechanism to encrypt ePHI in transit when appropriate. Given OCR’s enforcement history, encrypt ePHI in transit as the default. This applies to: data transmitted between the EHR and lab interfaces; data sent to referring providers or specialists; patient portal communications; any ePHI sent over public networks including email used for clinical purposes; and remote access to clinic systems (VPN or equivalent encrypted tunnel).

For a full picture of which communication channels require encryption, see PHI in email and PHI in text messaging.

Device and Media Controls: 45 CFR § 164.310(d)

Physical safeguards include device and media controls governing the receipt and removal of hardware and electronic media containing ePHI, and final disposition of ePHI before disposal.

Device inventory: Maintain a current inventory of all hardware — laptops, workstations, tablets, servers, portable drives — that stores or could store ePHI. Capture device type, serial number, assigned user, and encryption status.

Media disposal: Before disposing of any device or storage medium that contained ePHI, ensure the data is irretrievably destroyed. For hard drives, this means physical destruction or NIST 800-88-compliant sanitization. Deleting files is not sufficient. Formatting is not sufficient.

Media re-use: If a device is being reassigned to a new user, securely wipe the storage before reassignment.

Removal tracking: Under § 164.310(d)(2)(iii), movement of hardware and electronic media containing ePHI must be tracked. If a device leaves the clinic, log it.

Documenting Security Configurations

You are responsible not just for implementing security controls but for documenting what has been implemented and why. This documentation demonstrates compliance during an OCR investigation and ensures security configurations survive personnel changes.

Documentation to maintain: network architecture diagram with security controls identified; firewall and access control configuration records; encryption implementation records; patch management schedule and completion log; incident response procedure; workstation use policy; and access provisioning and deprovisioning procedure.

Under 45 CFR § 164.316(b)(1), your clinic must maintain documentation of policies and procedures in written form and retain it for six years.

Patch Management as a HIPAA Obligation

The Security Rule does not specifically mention patch management, but 45 CFR § 164.308(a)(1)(ii)(A) requires policies and procedures to prevent, detect, contain, and correct security violations — and unpatched systems are a primary vector for those violations.

Establish a documented patch cycle for all systems containing ePHI (monthly for critical patches, quarterly for non-critical, as a baseline). Treat operating system and application patches as non-deferrable when a vulnerability is actively exploited. Document the patch cycle, completion dates, and any exceptions with risk justification.

Business Associate vs. Workforce Member

This distinction determines your contracting and compliance accountability.

Workforce members are employees, volunteers, trainees, and persons under the direct control of the covered entity, whether or not they are paid (45 CFR § 160.103). Workforce members are governed by the clinic’s own HIPAA policies and training requirements. An in-house IT employee on the clinic’s payroll is a workforce member.

Business associates are persons or entities that perform functions on behalf of the covered entity and, in doing so, create, receive, maintain, or transmit PHI. An IT contractor who provides remote support and accesses clinic systems containing ePHI is a business associate. A BAA is required before the engagement begins (45 CFR § 164.308(b)(1)). The contractor is then responsible for their own HIPAA compliance obligations under the BAA.

PHIGuard is built on this distinction. The platform operates under a BAA at every tier — so small clinics can use it as a compliance management tool without creating an unaddressed business associate obligation. Learn more at phiguard.app/hipaa.