HIPAA Technical Safeguards: What Small Practices Actually Need
TLDR
HIPAA's Technical Safeguard standards require four things: access controls (who can reach ePHI), audit controls (logging who does what), integrity controls (detecting unauthorized changes), and transmission security (encrypting ePHI in transit). For small practices, the gap is rarely the EHR — it's the task management tools, email, and file sharing that touch PHI but weren't designed for healthcare.
What Technical Safeguards Are
HIPAA’s Security Rule (45 CFR Part 164, Subpart C) requires covered entities to implement safeguards across three categories: administrative, physical, and technical. Technical safeguards are the technology side: the systems, software controls, and policies that protect electronic protected health information.
The Security Rule is technology-neutral. It doesn’t mandate specific products or encryption algorithms. It specifies outcomes: ePHI accessible only to authorized users, activity logged, data integrity maintained, transmission secured. How you achieve those outcomes can vary based on your practice’s size, risk environment, and existing systems.
A 5-person primary care clinic will implement these differently than a 200-person specialty group. The standard applies to both. What counts as “reasonable and appropriate” is where size actually matters.
The Four Standards
Access Controls (§ 164.312(a)(1))
Your systems must allow only authorized users to access ePHI. Required specifications: unique user identification (each workforce member gets their own login, no shared accounts), emergency access procedures (a documented process for accessing ePHI when normal methods fail), and automatic logoff (sessions terminate after a defined period of inactivity).
Addressable specifications include encryption and decryption of stored ePHI.
Your EHR, task management software, file storage, and any other system containing patient data must support individual accounts with role-based permissions. A front desk coordinator should not have the same access level as a physician. Your task management tool needs to enforce this, not just your EHR.
Audit Controls (§ 164.312(b))
Audit controls are required with no addressable subset. Your systems must implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.
A task management app that shows “last edited by [name]” is not an audit log. A real audit control captures who accessed a record, when, from what IP address, what they did (viewed, modified, deleted), and what the record contained at the time. These logs must be retained and reviewed on a regular schedule.
Integrity Controls (§ 164.312(c)(1))
Your systems must protect ePHI from improper alteration or destruction. The required specification is a policy covering how integrity is maintained. The addressable specification is electronic mechanisms that confirm ePHI hasn’t been altered or destroyed without authorization.
For software systems, integrity controls typically mean version history, checksums, tamper-evident logging, and access controls that prevent unauthorized deletion. For scanned paper records stored electronically, it means the storage system can detect unauthorized changes.
Transmission Security (§ 164.312(e)(1))
Any ePHI transmitted over a network must be protected. The addressable specifications are encryption (using something like TLS) and integrity controls for data in transit.
Encryption in transit is standard for HIPAA-compliant systems. HHS guidance makes clear that practices using unencrypted transmission need a well-documented reason and an equivalent alternative. Modern compliant tools handle TLS automatically. If a tool transmits data over standard HTTP, it isn’t suitable for ePHI.
Required vs. Addressable Specifications
Some practice administrators read “addressable” as optional. It isn’t — it means “implement this unless you can document a specific reason it doesn’t apply and show what you’re doing instead.”
Required specifications must be implemented as written. Addressable specifications must be implemented if they are reasonable and appropriate for your practice. If not, you document why and implement an equivalent alternative that achieves the same objective.
For small practices, most addressable specifications are reasonable and appropriate. The cases where a practice legitimately documents an alternative are genuinely narrow. And that documentation needs to be thorough enough to hold up when OCR asks for it.
Where Small Practices Actually Fail
EHR vendors have built HIPAA compliance into their products. BAAs are standard, and most clinicians know the EHR is regulated.
The secondary tool stack is a different story. A staff member who types a patient’s name into a Trello card, sends patient information from their personal Gmail, or shares a file via a personal Dropbox account has created an ePHI exposure in a system the practice cannot audit, cannot control, and has no BAA for.
Trello has no BAA at any tier. Standard Asana, Monday.com, and Notion (below their enterprise tiers) lack the audit controls and role-based access that ePHI requires. Personal Gmail and Yahoo accounts have no BAA and produce no audit log accessible to the practice. Consumer file sharing (personal Dropbox, personal Google Drive, iCloud) is not HIPAA-eligible. Standard Slack, iMessage, and WhatsApp are not compliant channels.
The pattern is the same across all of these: tools that staff find convenient, adopted for operational reasons, without anyone running them through a compliance check first.
How to Audit Your Current Tool Stack
For each tool your practice uses, work through five questions:
- Does this tool ever contain a patient name, diagnosis, appointment detail, or billing information?
- Does it support unique user accounts with role-based access controls?
- Does it maintain an audit log of user activity — not just a “last edited” field, but a real activity history?
- Does it encrypt data in transit (TLS) and at rest?
- Will the vendor sign a BAA?
If the answer to question 1 is yes and any of 2 through 5 is no, you have a gap. The fix is either switching tools, upgrading to a HIPAA-eligible tier, or restructuring how you use the tool so ePHI never enters it.
PHIGuard is built to satisfy all four technical safeguard standards: unique user IDs with role-based permissions, full audit logs for every task action, data integrity controls, and TLS encryption in transit and at rest. A BAA is included at every pricing tier, Practice ($20/month) through Health System ($99/month).
We built it because the tools practices were already using for clinical coordination didn’t meet these requirements at prices a small practice could justify.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Technical Safeguards
- Technology and policies that protect electronic protected health information (ePHI) — required by HIPAA's Security Rule.
DEFINITION
- ePHI (Electronic Protected Health Information)
- Protected health information that is created, stored, transmitted, or received electronically. Subject to HIPAA's Security Rule technical, physical, and administrative safeguard requirements.
DEFINITION
- Access Control
- Policies and technical mechanisms that allow only authorized users to access ePHI. Includes unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption.
DEFINITION
- Audit Control
- Hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.
DEFINITION
Q&A
What are HIPAA technical safeguards?
HIPAA's Security Rule requires four categories of technical safeguards: (1) access controls — unique user IDs and role-based permissions; (2) audit controls — logs of who accessed ePHI and when; (3) integrity controls — mechanisms to ensure ePHI isn't improperly altered; (4) transmission security — encryption for ePHI in transit.
Q&A
Do small practices need to comply with all HIPAA technical safeguards?
Yes. Covered entities of all sizes must comply with the Security Rule's technical safeguard standards. Small practices must implement required specifications and address addressable specifications — or document why an equivalent alternative was chosen.
Q&A
How do task management tools fit into HIPAA technical safeguards?
If your task management tool stores or transmits ePHI — even indirectly, like a task title mentioning a patient name — it must meet technical safeguard requirements: unique user IDs, audit logs, role-based access, and encrypted transmission. PHIGuard is built to satisfy these requirements at every pricing tier.
Want to learn more?
What are HIPAA technical safeguards?
What's the difference between required and addressable technical safeguards?
Do task management tools need to comply with HIPAA technical safeguards?
What is encryption-in-transit and does my practice need it?
How do I know if my current tools meet HIPAA technical safeguard requirements?
Keep reading
HIPAA Compliance Checklist for Small Medical Practices
A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.
HIPAA Encryption Requirements for Medical Practices (2026)
HIPAA doesn't mandate encryption — but alternatives must be documented. For practical purposes, encryption is the standard you must meet for ePHI at rest and in transit.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.