HIPAA Cybersecurity Requirements: Technical Safeguards, Passwords, and IT Security

The technical side of HIPAA compliance is where most organizations struggle — not because the requirements are impossibly complex, but because the Security Rule's flexibility leaves too much room for interpretation. This guide eliminates that ambiguity.

HIPAA cybersecurity requirements define the technical protections your organization must implement to safeguard electronic protected health information (ePHI). While the HIPAA Security Rule organizes safeguards into three categories — administrative, physical, and technical — it is the technical safeguards that IT teams and security engineers must implement and maintain day to day. If you are a covered entity or business associate handling ePHI, understanding these requirements in practical terms is critical to avoiding both compliance failures and data breaches.

This guide focuses specifically on the cybersecurity and IT security dimensions of HIPAA: the five categories of technical safeguards, what HIPAA actually requires for passwords, encryption mandates and the addressable specification nuance, network security and access controls, IT security best practices that go beyond minimum compliance, and the most common technical gaps that OCR finds during investigations.

HIPAA Technical Safeguards Overview

The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement technical safeguards — the technology and related policies and procedures that protect ePHI and control access to it. There are five technical safeguard categories:

Access Control (§164.312(a))

You must implement technical policies and procedures to allow only authorized persons and software programs to access ePHI. Required implementations include:

• Unique user identification (Required) — Assign a unique identifier to each user for tracking access to ePHI
• Emergency access procedure (Required) — Establish procedures for obtaining ePHI during emergencies
• Automatic logoff (Addressable) — Implement electronic procedures to terminate sessions after a period of inactivity
• Encryption and decryption (Addressable) — Implement mechanisms to encrypt and decrypt ePHI

Audit Controls (§164.312(b))

You must implement hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use ePHI. This includes logging access events, authentication attempts, data modifications, and administrative actions. The logs must be reviewed regularly — simply collecting them is not sufficient.

Integrity Controls (§164.312(c))

You must implement policies and procedures to protect ePHI from improper alteration or destruction. The addressable specification calls for electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Person or Entity Authentication (§164.312(d))

You must implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be. This is a required specification with no addressable alternative.

Transmission Security (§164.312(e))

You must implement technical security measures to guard against unauthorized access to ePHI being transmitted over electronic communications networks. This includes integrity controls and encryption as addressable specifications.

HIPAA Password Requirements

One of the most frequently searched HIPAA topics is what the regulation actually requires for passwords. The answer may surprise you: HIPAA does not specify minimum password length, complexity rules, or rotation schedules.

What HIPAA requires (under §164.312(d)) is that your organization implement procedures to verify user identity and, under §164.312(a)(2)(iv), implement a mechanism for encrypting and decrypting ePHI. The Security Rule's password-related obligations fall under the broader access control and authentication requirements.

What You Should Actually Implement

While HIPAA does not prescribe specific HIPAA password requirements, the Office for Civil Rights (OCR) evaluates your password practices against current industry standards during investigations. Here is what meets the practical standard:

Practice	Recommended Standard	Rationale
Minimum password length	12+ characters	NIST SP 800-63B guidance, aligns with industry best practice
Complexity requirements	Allow full character set but do not mandate arbitrary complexity	NIST recommends against complexity rules that lead to predictable patterns
Multi-factor authentication	Required for remote access, recommended for all ePHI access	Single strongest defense against credential compromise
Password rotation	Only on evidence of compromise	NIST SP 800-63B recommends against periodic rotation
Password managers	Encouraged for all workforce members	Enables longer, unique passwords without memorization burden
Account lockout	After 3-5 failed attempts	Prevents brute-force attacks
Default credentials	Must be changed before deployment	Attackers actively scan for default credentials

For startups implementing HIPAA for the first time, see our HIPAA compliance guide for startups.

Encryption Requirements

HIPAA encryption requirements are classified as "addressable" rather than "required" — but this does not mean encryption is optional. The addressable designation means you must implement encryption or document why an equivalent alternative measure is reasonable and appropriate.

Encryption at Rest

You should encrypt all ePHI stored on servers, databases, workstations, laptops, mobile devices, and removable media. Acceptable approaches include:

• Full-disk encryption (BitLocker, FileVault) for endpoints and workstations
• Database-level encryption (TDE for SQL Server, encryption at rest for PostgreSQL/MySQL)
• Cloud storage encryption (AWS S3 server-side encryption, Azure Storage Service Encryption, GCP default encryption)
• Application-level encryption for particularly sensitive fields

The encryption standard should be AES-256 or equivalent. FIPS 140-2 validated modules are preferred and may be required depending on your contractual obligations.

Encryption in Transit

All ePHI transmitted over networks must be protected against unauthorized interception. This requires:

• TLS 1.2 or higher for all web traffic, API communications, and email containing ePHI
• VPN or encrypted tunnels for remote access to systems containing ePHI
• Encrypted email or secure messaging for ePHI shared with external parties
• SFTP or SCP instead of unencrypted FTP for file transfers

The Safe Harbor Provision

Encryption is especially important because of the HIPAA Breach Notification Rule's safe harbor provision. If a breach involves ePHI that was encrypted in accordance with NIST guidance and the encryption keys were not compromised, the breach is not considered a reportable breach. This safe harbor alone makes encryption one of the highest-ROI security investments for HIPAA compliance.

For more on encryption requirements across compliance frameworks, see our article on whether SOC 2 requires encryption.

Network Security and Access Controls

HIPAA IT security extends beyond endpoints and encryption to encompass your entire network architecture.

Firewall and Network Segmentation

While HIPAA does not use the word "firewall," the access control requirements effectively mandate network boundary protection. You should implement firewalls between your ePHI environment and untrusted networks, network segmentation to isolate ePHI systems from general-purpose networks, and intrusion detection and prevention systems to monitor for malicious activity.

Access Control Lists and Role-Based Access

Implement role-based access controls (RBAC) that restrict ePHI access to workforce members who need it for their job functions. Key practices include:

• Define roles with minimum necessary access to ePHI
• Review access permissions quarterly and upon role changes
• Implement just-in-time access for administrative functions
• Maintain access control lists for all systems containing ePHI
• Document and enforce access request and approval workflows

Audit Logging

Every access to ePHI must be logged with sufficient detail to identify who accessed what data, when, and what actions they performed. Logs must be protected from tampering, retained for a minimum of six years (per HIPAA's documentation retention requirement), and reviewed regularly for suspicious activity.

HIPAA IT Security Best Practices

Meeting the minimum HIPAA requirements is necessary but often insufficient to protect against modern cyber threats. These best practices go beyond baseline compliance:

Patch Management

Establish a documented patch management program with defined timelines: critical vulnerabilities patched within 14 days, high-severity within 30 days, and moderate within 90 days. Track patching compliance across all systems in your ePHI environment.

Endpoint Protection

Deploy endpoint detection and response (EDR) solutions on all systems that access ePHI. Traditional antivirus is no longer sufficient — modern threats require behavioral detection, automated response, and centralized visibility.

Vulnerability Scanning

Conduct internal and external vulnerability scans at least quarterly, with additional scans after significant changes to your environment. Scan results should feed directly into your remediation workflow.

Incident Detection and Response

Implement security information and event management (SIEM) capabilities to correlate security events across your environment. Establish documented incident response procedures with defined roles, communication plans, and escalation procedures. Test your incident response plan at least annually through tabletop exercises.

For tools that support these practices, see our guide to the best HIPAA compliance tools.

Common Technical Compliance Gaps

Based on OCR enforcement actions and breach investigations, these are the technical gaps that most frequently result in penalties:

Unencrypted Devices

Unencrypted laptops and mobile devices containing ePHI remain one of the most common breach causes. OCR has levied multi-million-dollar penalties for breaches involving stolen unencrypted laptops. Encrypt every device that touches ePHI — no exceptions.

Missing Risk Assessments

The Security Rule requires a comprehensive risk assessment, yet OCR consistently finds that organizations either have never conducted one or have not updated it after significant changes. A risk assessment is not a one-time checklist — it must be ongoing and documented.

Insufficient Access Controls

Broadly permissive access to ePHI, shared credentials, and lack of access reviews are cited in numerous enforcement actions. The principle of minimum necessary access must be technically enforced, not just stated in policy.

Inadequate Audit Logging

Insufficient logging — or logging without review — means unauthorized access can go undetected for months. OCR expects not just log collection but documented evidence of regular log review and anomaly investigation.

Delayed Breach Notification

HIPAA requires notification within 60 days of discovering a breach affecting 500 or more individuals. Failure to detect breaches promptly (due to inadequate monitoring) effectively compounds the notification violation.

For guidance on documenting your HIPAA compliance through policies and procedures, see our HIPAA policies and procedures guide. Organizations also pursuing SOC 2 should review our SOC 2 vs. HIPAA comparison to understand how these frameworks overlap.

Need help implementing HIPAA technical safeguards? Contact Agency for a cybersecurity assessment tailored to healthcare compliance.