Safeguarding electronic Protected Health Information through administrative, physical, and technical controls — and how to perform a risk analysis that satisfies regulators.
45 CFR Parts 160 & 164 Subparts A & C
Electronic Protected Health Information (ePHI) — any PHI created, received, maintained, or transmitted in electronic form. Applies to all covered entities and business associates.
Includes: EHRs, emails, text messages, lab results, scanned documents, data in cloud storage.
Paper records and oral communications are not subject to the Security Rule — but they are subject to the Privacy Rule. The Security Rule narrows to the electronic medium only.
PHI in voicemail or fax: Privacy Rule applies; Security Rule does not.
45 CFR § 164.302 | 45 CFR § 160.103 (definition of electronic protected health information)
ePHI is not made available or disclosed to unauthorized persons or processes. Access controls, encryption, and authentication are key mechanisms.
ePHI is not altered or destroyed in an unauthorized manner. Audit controls, checksums, and version control help ensure data has not been tampered with.
ePHI is accessible and usable by authorized persons on demand. Disaster recovery, backup, and uptime planning protect against data loss and downtime.
45 CFR § 164.306(a) — General Requirements
Must be implemented. No flexibility. If the standard lists a specification as required, the covered entity or BA must implement it, full stop.
Examples: Risk Analysis, Contingency Plan, Unique User Identification
Must assess whether reasonable and appropriate. If yes, implement it. If not reasonable, document why, and implement an equivalent alternative measure — or document that no alternative exists.
Examples: Encryption, Automatic Logoff, Workstation Security
Common misconception: "Addressable" does not mean "optional." Failure to implement or document is a HIPAA violation.
45 CFR § 164.306(d)
Identify all systems, applications, and locations where ePHI is created, received, maintained, or transmitted.
Document reasonably anticipated threats (ransomware, insider misuse, hardware failure, natural disaster) and system vulnerabilities that could be exploited.
Evaluate the effectiveness of existing technical, administrative, and physical safeguards in reducing the likelihood or impact of threats.
Assign probability and impact ratings to each threat-vulnerability combination. Produce a risk level (e.g., High / Medium / Low).
Prioritize risks and create a remediation plan. The risk analysis and risk management plan must be documented and updated when operations change.
45 CFR § 164.308(a)(1) — Security Management Process (Required specification)
Risk analysis, risk management, sanction policy, information system activity review
Designate a Security Officer responsible for HIPAA security policies
Authorization procedures, workforce clearance, termination procedures
Access authorization, establishment, and modification
Security reminders, malware protection, log-in monitoring, password management
Response and reporting of security incidents
Data backup, disaster recovery, emergency mode operations, testing, applications criticality
Periodic technical and non-technical evaluation of security controls
Written BAAs with all BAs who create, receive, or maintain ePHI
45 CFR § 164.308
Contingency operations, facility security plan, access control and validation, maintenance records. Limit physical access to facilities housing ePHI systems.
Document proper functions of workstations that access ePHI and the physical environment in which they operate. Define acceptable use policies.
Implement physical safeguards to restrict access to authorized users only — screen privacy filters, locked doors, cable locks, positioned away from public view.
Disposal, media re-use, accountability, and data backup/storage. Secure destruction of hard drives, USB media, and paper before disposal.
45 CFR § 164.310
Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Audit logs must be retained and regularly reviewed.
Implement mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner — checksums, hash verification, message authentication codes.
Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic networks. Encryption of ePHI in transit is the primary mechanism.
45 CFR § 164.312
Under the Breach Notification Rule (45 CFR § 164.402), if lost or stolen ePHI was rendered unusable, unreadable, or indecipherable to unauthorized individuals, the incident is not a reportable breach.
NIST-approved encryption (AES-128 minimum) satisfies this standard for data at rest and in transit.
45 CFR § 164.402 | HHS Guidance on NIST Encryption Standards (Feb. 2010)
OCR resolution agreements consistently require organizations to complete or update their risk analysis as the first corrective action.
Average healthcare data breach cost in 2023 — highest of any industry for 13 consecutive years (IBM Cost of a Data Breach Report)
Healthcare records exposed, stolen, or impermissibly disclosed in 2023 alone (HHS OCR data)
Of large healthcare breaches in 2023 were due to hacking or IT incidents — not lost/stolen devices