HIPAA AgentHIPAA Agent
Deploy Your Agent
← Back to Guides
🔐
Advanced22 min read

Encryption & Security Standards

Technical requirements for protecting ePHI: encryption, access controls, and audit logging.

Encryption StandardsAccess ControlsAudit LoggingNetwork SecurityDevice Management

Technical Safeguards Under HIPAA

The HIPAA Security Rule requires covered entities to implement technical safeguards to protect electronic protected health information (ePHI). This guide covers the technical requirements and industry best practices.

Encryption Requirements

What HIPAA Says

HIPAA classifies encryption as an "addressable" specification, meaning you must:

  1. Assess whether encryption is reasonable and appropriate
  2. If yes, implement it
  3. If no, document why and implement equivalent alternative

In practice: Encryption is almost always reasonable and appropriate for ePHI.

Encryption Standards

NIST Recommendations:

  • AES-128 or AES-256 for data at rest
  • TLS 1.2 or higher for data in transit
  • Avoid deprecated algorithms (DES, 3DES, MD5, SHA-1)

Data at Rest Encryption

Full Disk Encryption:

  • BitLocker (Windows)
  • FileVault (macOS)
  • LUKS (Linux)
  • Hardware-based encryption

Database Encryption:

  • Transparent Data Encryption (TDE)
  • Column-level encryption for sensitive fields
  • Encrypted backups

File-Level Encryption:

  • Encrypted file systems
  • Application-level encryption
  • Encrypted containers

Data in Transit Encryption

Web Traffic:

  • HTTPS with TLS 1.2+
  • Valid SSL/TLS certificates
  • HSTS implementation

Email:

  • TLS for SMTP
  • S/MIME or PGP for end-to-end
  • Encrypted email gateways

VPN:

  • IPSec or OpenVPN
  • Strong authentication
  • Split tunneling considerations

The Safe Harbor

Properly encrypted data that's lost or stolen may not require breach notification IF:

  • Encryption meets NIST standards
  • Encryption key was not compromised
  • Device was properly encrypted when lost

This is huge: Encryption can be the difference between a reportable breach and a non-incident.

Access Control Requirements

HIPAA Requirements

Unique User Identification (Required):

  • Each user has unique ID
  • No shared accounts
  • Accountability for all actions

Emergency Access Procedure (Required):

  • Documented process for emergency access
  • Appropriate controls and logging
  • Post-emergency review

Automatic Logoff (Addressable):

  • Session timeout after inactivity
  • Recommended: 15 minutes or less
  • Screen lock after shorter period

Encryption and Decryption (Addressable):

  • Encrypt ePHI as appropriate
  • Key management procedures

Implementation Best Practices

Authentication:

  • Strong passwords (12+ characters)
  • Multi-factor authentication (MFA)
  • Password managers encouraged
  • No password sharing

Authorization:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews
  • Prompt deprovisioning

Password Policy Example:

Password Requirements:
- Minimum 12 characters
- Must contain: uppercase, lowercase, numbers, symbols
- Cannot contain username or common words
- Cannot reuse last 12 passwords
- Must change every 90 days
- Account locks after 5 failed attempts
- Lockout duration: 30 minutes or manual unlock

Multi-Factor Authentication

Strongly Recommended for:

  • Remote access to ePHI
  • Administrative accounts
  • EHR systems
  • Email (if PHI is transmitted)

MFA Methods:

  • Authenticator apps (preferred)
  • Hardware tokens
  • SMS codes (acceptable but less secure)
  • Biometrics

Audit Controls

HIPAA Requirements

You must implement hardware, software, and procedures to record and examine access and activity in systems containing ePHI.

What to Log

User Activity:

  • Login attempts (success and failure)
  • Logout events
  • Password changes
  • Access to patient records
  • Modifications to records
  • Print/export/download actions

System Activity:

  • System startup/shutdown
  • Configuration changes
  • Security events
  • Application errors

Administrative Activity:

  • User account changes
  • Permission modifications
  • Security setting changes

Log Management

Retention:

  • Minimum 6 years (HIPAA documentation requirement)
  • Consider longer for legal protection

Protection:

  • Logs should be immutable
  • Restrict access to logs
  • Encrypt log storage
  • Backup logs regularly

Review:

  • Regular log review process
  • Automated alerting for suspicious activity
  • Investigation procedures

Sample Audit Log Entry

Timestamp: 2026-01-15 14:32:45 UTC
User: jsmith
Action: VIEW
Resource: Patient Record #12345
Patient: Jane Doe
IP Address: 192.168.1.100
Workstation: FRONT-DESK-01
Application: EHR
Result: SUCCESS

Network Security

Firewalls

Requirements:

  • Perimeter firewall
  • Internal segmentation
  • Stateful inspection
  • Regular rule review

Best Practices:

  • Default deny
  • Minimal open ports
  • Network segmentation
  • DMZ for public services

Intrusion Detection/Prevention

Consider implementing:

  • Network IDS/IPS
  • Host-based detection
  • Behavioral analysis
  • 24/7 monitoring (or managed service)

Wireless Security

Requirements:

  • WPA3 or WPA2-Enterprise
  • Separate guest network
  • Strong passwords/certificates
  • Regular security assessments

Avoid:

  • WEP (completely insecure)
  • WPA-Personal in clinical areas
  • Default passwords
  • Hidden SSIDs (security through obscurity)

Network Segmentation

Separate networks for:

  • Medical devices
  • Administrative systems
  • Guest access
  • IoT devices

Device Management

Workstations

Security Requirements:

  • Full disk encryption
  • Antivirus/anti-malware
  • Auto-lock after inactivity
  • Regular patching
  • Secure configuration

Configuration Checklist:

  • Encryption enabled
  • Antivirus installed and updated
  • Firewall enabled
  • Auto-updates enabled
  • Screen lock configured (5 min)
  • USB restrictions applied
  • Administrative rights restricted

Mobile Devices

If mobile devices access ePHI:

  • Device encryption
  • Remote wipe capability
  • Strong passcode/biometric
  • MDM (Mobile Device Management)
  • Containerization for BYOD

Mobile Device Policy Elements:

MOBILE DEVICE SECURITY REQUIREMENTS

1. Device must have passcode (6+ digits) or biometric lock
2. Device encryption must be enabled
3. Remote wipe must be configured
4. No jailbroken/rooted devices
5. Automatic updates must be enabled
6. Lost/stolen devices reported immediately
7. ePHI apps must use separate authentication
8. No PHI storage on personal cloud services

Medical Devices

Special Considerations:

  • Often can't be patched normally
  • May have long lifecycles
  • Network segmentation critical
  • Vendor coordination required

Disposal

When disposing of any device:

  • Inventory tracking
  • Certified data destruction
  • Certificate of destruction
  • Chain of custody documentation

Patch Management

Requirements

Keep systems current with security updates:

  • Operating systems
  • Applications
  • Firmware
  • Medical devices (coordinate with vendor)

Process

  1. Identify: Monitor for new patches
  2. Assess: Evaluate criticality and compatibility
  3. Test: Test in non-production environment
  4. Deploy: Roll out systematically
  5. Verify: Confirm successful installation
  6. Document: Maintain patching records

Timeline Guidelines

SeverityTimeline
Critical (exploited)24-48 hours
Critical7 days
High30 days
Medium60 days
Low90 days

Security Assessment

Regular Assessments

Vulnerability Scanning:

  • At least quarterly
  • After significant changes
  • Automated tools
  • Remediation tracking

Penetration Testing:

  • Annually recommended
  • After major changes
  • Internal and external
  • Qualified third party

Risk Assessment

Technical findings should feed into your overall HIPAA risk assessment:

  • Identify vulnerabilities
  • Assess likelihood and impact
  • Prioritize remediation
  • Track progress

Technical Security Checklist

Encryption

  • Full disk encryption on all devices
  • Database encryption for ePHI
  • TLS 1.2+ for all transmissions
  • Email encryption available
  • Backup encryption

Access Control

  • Unique user IDs
  • Strong password policy
  • Multi-factor authentication
  • Role-based access
  • Regular access reviews

Audit Controls

  • Comprehensive logging enabled
  • Log protection and retention
  • Regular log review
  • Alerting configured

Network Security

  • Firewalls configured
  • Network segmentation
  • Wireless security (WPA2/3)
  • Intrusion detection

Device Management

  • Endpoint protection
  • Mobile device management
  • Patch management process
  • Secure disposal procedures

HIPAA Agent provides technical compliance checklists, helps you document your security controls, and guides you through technical safeguard requirements with AI-powered assessments.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Deploy Your Agent

Related Guides

📋
Complete HIPAA Compliance Checklist
Beginner · 15 min read
🔍
Security Risk Assessment Guide
Intermediate · 25 min read
📄
HIPAA Policy Templates Guide
Intermediate · 20 min read