HIPAA Technical Safeguards: How To Protect Sensitive Data

6 min read Darryn Campbell on Mar 21, 2024

Technology has evolved to become a critical tool in data management. Gone are the days when businesses would manage physical files containing sensitive information. Now, with advancements in technology, healthcare organizations have adopted electronic health records (EHRs), enabling individuals and providers to access information remotely. This digital transformation, however, introduces new vulnerabilities. To counter such threats and ensure the safe management of electronic protected health information (ePHI), HIPAA technical safeguards have been developed..

What is PHI under HIPAA?

PHI (Protected Health Information) stands for any identifiable health information used by a HIPAA covered entity or a business associate. There are 18 types of HIPAA data that are considered protected health information, and some examples of PHI include an individuals name, address, or medical records.

PII vs PHI: What’s the difference

Personal Identifiable Information (PII) goes hand in hand with PHI. It is defined as any patient data that can be used to identify a specific individual. This can include an identfier such as the social security number or their patient identification number. In short, PII is used to distinguish or trace someones identity. Essentially, the difference between the two is that PHI pertains to HIPAA covered entities that have this identifiable health information.

The Five HIPAA Technical Safeguards

As defined in the HIPAA Administrative Simplification Regulation Text, technical safeguards are "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it." To adhere to this safeguard, covered entities must follow the following technical safeguards to ensure HIPAA compliance.

HIPAA Technical Safeguards: Access Control

Access control, as part of the technical safeguards, plays a significant role in preventing data breaches. It restricts unauthorized access to ePHI and reduces the risk of data compromise. In compliance with the HIPAA security rule, businesses implement procedures that control access to health information. With the advent of advanced technologies, businesses can now utilize systems like biometric or AI-based access control systems, offering a greater level of security. Implement policies such as requiring a unique name and unique user identification as well as automatic logoff of workstations and information systems as well as physical safeguards of these systems.

HIPAA Technical Safeguards: Audit Controls

While access control ensures the leaving of breadcrumbs, audit controls become responsible for tracking them. There are several ways to accomplish this. One of the most common is to record activity related to the access and use of files that contain electronic PHI. It is important not to wait until a complaint surfaces to examine this information. Proactive organizations assign the task of auditing session activities to their IT teams, managers, team leads, or even auditors who specialize in this area.

Good audit control mechanisms entail more than just collecting data. It should also be possible to generate reports when requested. This data may include how many people accessed a particular file and when. It might also look at the session activity of one specific employee who may have come under suspicion for noncompliance. When noncompliance is intentional, audit reports help to protect organizations by showing that the violations were the action of one employee versus a company wide issue or lax policies.

Audit controls may help covered entities and investigators to uncover patterns that lead them to vulnerabilities. Sometimes this is unintentional. For example, a new employee may not fully understand or follow all the technical recommendations in the company policy.

HIPAA Technical Safeguards: PHI and Data Integrity

The HHS defines data integrity as the characteristic of data that has not experienced "improper alteration or destruction." HHS identifies patient safety issues as one of its primary concerns in these instances. Missing or altered information could cause someone to receive an incorrect diagnosis, treatment, or medication.

Professionals are most likely to suspect malicious behavior on the part of someone else, such as a hacker or medical staff member. However, data can become corrupted on its own. A glitch in the system or an error while saving the file can create unauthorized and unintentional changes.

One of the best ways to maintain data integrity is to store all your PHI data off-site for at least six years. The data should be stored in their original formats and should not be modifiable. Any new data may warrant the creation of a new file.

HIPAA Technical Safeguards: Person or Entity Authentication

To comply with access control, audit control, and integrity, covered entities need to invest in authentication features. There are several ways to tackle this step. The most common methods might include emailing, calling, using an app or website, or visiting the organization in person. 

Authentication is just as important for patients as employees. As discussed earlier, individual logins make it easy to track session activities. When it comes to authentication, the assumption is that a person who should not have access to certain information would not have access to a password to get into the system.

When people call, email, or visit in person, presenting evidence is essential here as well. Identifying information may include a government-issued ID with a name and a photo, Social Security number, or other personal information. Some insurance companies, for instance, may ask for date of birth or street address.

HIPAA Technical Safeguards: Transmission Security

One of the most difficult aspects of protecting PHI is when it is in motion. Moving data between parties—even when those parties are both authorized—creates vulnerabilities. One party may not secure the data as well as the other. They may also have weaknesses in the networks that provide them with a connection. Transmission weaknesses can make it easier for cyber criminals to intercept and steal data without ever needing to hack a company.

HHS recommends the use of two main tools to protect data during transmission. The first is integrity controls, and the second is encryption. Integrity controls help to ensure that the same data sent is the same data received. Organizations can achieve this by updating their network communications protocols. Message authentication codes are also effective.

Encryption is a little more complicated. It involves changing data from its original form to something unauthorized persons cannot understand. Organizations must also accomplish this without corrupting the integrity of the data. Thankfully, there are several types of data encryption tools available for covered entities to use.

One important thing to note is that for the encryption tools to work as intended, both the sender and receiver must have access to the same or compatible software. It is best to stick to one tool for use throughout the organization.

Why Technical Safeguards Are Important

There are two main reasons the safeguarding of PHI is so important. The first is ethics and the second is the law. From an ethical standpoint, patients have a right to their privacy. Unauthorized access violates this and may lead to very sensitive information getting into the wrong hands. Data corruption may negatively impact patient lives and change your customers and trust in your company.

What is the purpose of technical security safeguards

When it comes to the legal aspect, the HIPAA Privacy Rule makes it mandatory for companies that handle PHI to better protect this data. Companies and their employees who violate HIPAA can get sued. Fines can climb as high as $250,000. Note also that there are three types of organizations that fall under this:

  • Healthcare clearinghouses

  • Health plan providers

  • Healthcare providers

According to HHS, the Privacy Rule does not detail what specific actions covered entities should take to protect data. It requires that companies make data security a priority. Even so, most of the five technical safeguards highlighted above follow the HHS  recommendations.

How to Meet Technical Safeguard for PHI Standards

Most professionals have a general understanding of HIPAA technical safeguards, even without a background in tech. Proper implementation, on the other hand, requires strong technical knowhow. For this, companies need to choose partners that bring the skills they need to the table.

At PubNub, we build APIs for clients that not only improve interconnectivity but prioritize data safety. We offer a fully customizable product to ensure we meet the needs of your company and your clients or patients. Use our contact form to get more information about how we can help to safeguard your clients and PHI.