In February 2024, OCR settled with a healthcare system for $4.75 million after investigators found the organization had failed to encrypt protected health information on portable devices — a technical safeguard that's been an industry standard for over a decade. The case is a stark reminder that HIPAA technology rules aren't optional guidelines. They are enforceable requirements with significant financial consequences for organizations that ignore them.

Where the HIPAA Technology Rules Actually Live in the Regulation

Healthcare organizations consistently confuse HIPAA's technology requirements with a single checklist of mandated tools. That's not how the regulation works. The HIPAA technology rules are primarily housed within the Security Rule (45 CFR Part 164, Subpart C), which establishes administrative, physical, and technical safeguards for electronic protected health information (ePHI).

The Security Rule is intentionally technology-neutral. It doesn't mandate specific software, hardware, or vendors. Instead, it requires your covered entity or business associate to implement reasonable and appropriate safeguards based on your own risk analysis. This flexibility is both a strength and a trap — organizations that interpret "flexible" as "optional" find themselves on the wrong side of an OCR enforcement action.

Beyond the Security Rule, technology intersects with the Privacy Rule's minimum necessary standard and the Breach Notification Rule's requirements for assessing whether encryption rendered breached data unusable. Your technology choices directly determine your regulatory exposure across all three rules.

The Three Safeguard Categories Every Covered Entity Must Address

The Security Rule organizes its requirements into three categories. Each one carries specific implementation specifications that are either "required" or "addressable" — and addressable does not mean ignorable.

Technical Safeguards (§ 164.312)

These are the controls most people think of when they hear HIPAA technology rules. They include access controls, audit controls, integrity controls, and transmission security. Your organization must implement unique user identification for every workforce member who accesses ePHI. You need emergency access procedures, automatic logoff mechanisms, and encryption and decryption capabilities.

Audit controls are particularly important and frequently overlooked. Your systems must record and examine activity in information systems that contain or use ePHI. OCR investigators routinely request audit logs during compliance reviews, and organizations that cannot produce them face immediate scrutiny.

Physical Safeguards (§ 164.310)

Physical safeguards govern how your organization controls physical access to technology infrastructure. This includes facility access controls, workstation use policies, workstation security measures, and device and media controls. If your workforce uses laptops, tablets, or mobile devices to access PHI, you need policies governing exactly how those devices are secured, tracked, and disposed of.

Administrative Safeguards (§ 164.308)

Administrative safeguards are the management backbone of your technology compliance. They require a designated security official, workforce training on security policies, security incident procedures, and — critically — a comprehensive risk analysis. In my work with covered entities, I've found that the risk analysis requirement under § 164.308(a)(1) is the single most cited deficiency in OCR enforcement actions.

Risk Analysis: The Foundation of HIPAA Technology Compliance

OCR has made clear, repeatedly and publicly, that a thorough risk analysis is the foundation of every compliant technology program. Between 2008 and 2024, the failure to conduct an adequate risk analysis appeared in the majority of OCR settlement agreements and civil money penalties.

A compliant risk analysis must identify every system that creates, receives, maintains, or transmits ePHI. It must evaluate threats and vulnerabilities specific to your environment. And it must be updated regularly — not conducted once and filed away. If your organization completed a risk analysis in 2020 and hasn't revisited it since, you are not in compliance.

Your risk analysis should directly inform your technology decisions. If you identify a vulnerability in how your organization transmits PHI externally, encryption becomes a necessary response. If you discover that workforce members share login credentials, implementing unique user authentication moves from best practice to urgent requirement.

Encryption: Addressable Does Not Mean Optional

One of the most dangerous misunderstandings about HIPAA technology rules involves encryption. The Security Rule lists encryption as an "addressable" implementation specification under both the access control standard (§ 164.312(a)(2)(iv)) and the transmission security standard (§ 164.312(e)(2)).

"Addressable" means your organization must assess whether encryption is reasonable and appropriate for your environment. If you determine it is — and in virtually every modern healthcare setting, it is — you must implement it. If you decide an equivalent alternative measure is sufficient, you must document that decision and your reasoning. Simply ignoring the specification is a violation.

Organizations that encrypt ePHI at rest and in transit gain a significant advantage under the Breach Notification Rule. Under § 164.402, if breached data was encrypted consistent with NIST guidance, it is considered "unsecured PHI" only if the encryption key was also compromised. Proper encryption can be the difference between a reportable breach affecting thousands of patients and a non-reportable security event.

The Workforce Training Requirement Most Organizations Underestimate

Technology safeguards fail when your workforce doesn't understand them. The Security Rule requires security awareness and workforce training under § 164.308(a)(5), including training on protection from malicious software, login monitoring, and password management. The Privacy Rule separately requires training on your organization's privacy policies and procedures.

In practice, this means every workforce member — not just clinical staff, but billing, administrative, janitorial, and volunteer personnel — needs training appropriate to their role. Annual training is industry standard, but training should also occur at onboarding and whenever policies change. Investing in comprehensive HIPAA training and certification ensures your workforce understands both the regulatory requirements and the specific technology policies your organization has implemented.

Business Associate Agreements and Technology Vendors

Every technology vendor that handles ePHI on your behalf is a business associate under HIPAA. This includes your EHR vendor, cloud hosting provider, billing clearinghouse, email encryption service, and telehealth platform. Under the Omnibus Rule, business associates are directly liable for Security Rule compliance.

Your business associate agreements must specify how each vendor will safeguard ePHI, report security incidents, and return or destroy data at the end of the relationship. If you're using a cloud-based platform to store patient records without a signed BAA, you have an active HIPAA violation right now — regardless of how secure that platform claims to be.

Putting HIPAA Technology Rules Into Practice

Compliance with HIPAA technology rules is not a one-time project. It requires ongoing risk analysis, continuous workforce education, documented policies, and regular evaluation of your technical, physical, and administrative safeguards. OCR's enforcement trend is clear: organizations that treat technology compliance as an afterthought pay for it — in penalties, reputational damage, and patient trust.

Start by auditing your current safeguards against the Security Rule's requirements. Update your risk analysis. Review every business associate agreement. And make sure your entire workforce is trained — not just aware, but competent and accountable. A platform like HIPAA Certify for workforce compliance can help you build and document a training program that satisfies both the Privacy Rule and Security Rule requirements.

The technology your organization uses will continue to evolve. The regulatory obligation to protect patient data through that technology will not.