In 2023, OCR settled with a health system for $1.3 million after investigators found the organization had failed to implement basic access controls on systems containing electronic protected health information (ePHI). The root cause wasn't a sophisticated cyberattack — it was an absence of technical safeguards that HIPAA's Security Rule has required since 2005. If your workforce can't answer the question which action would be considered a technical safeguard, your organization is already at risk.

Which Action Would Be Considered a Technical Safeguard Under the Security Rule

The HIPAA Security Rule (45 CFR § 164.312) defines technical safeguards as the technology and the policies and procedures governing its use that protect ePHI and control access to it. Unlike administrative safeguards (which deal with workforce management and policies) or physical safeguards (which protect hardware and facilities), technical safeguards live inside your information systems.

The specific actions that qualify as technical safeguards include:

  • Access controls — assigning unique user IDs, establishing emergency access procedures, implementing automatic logoff, and encrypting ePHI at rest and in transit
  • Audit controls — deploying hardware, software, or procedural mechanisms to record and examine activity in systems that contain or use ePHI
  • Integrity controls — implementing electronic measures to confirm that ePHI has not been altered or destroyed in an unauthorized manner
  • Person or entity authentication — verifying that a person or entity seeking access to ePHI is who they claim to be
  • Transmission security — protecting ePHI when it is transmitted over an electronic communications network, including encryption and integrity controls

So when someone asks which action would be considered a technical safeguard, the clearest answer is: any technology-based measure that restricts, monitors, or secures electronic access to PHI. Assigning a unique user ID to every workforce member is a textbook example. Installing a firewall is another. Enabling multi-factor authentication is yet another.

The Technical Safeguard OCR Investigates First

In my work with covered entities and business associates preparing for audits, I've found that OCR investigators almost always start with access controls. Under 45 CFR § 164.312(a)(1), your organization must implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to authorized persons or software programs.

This is where most HIPAA violations originate. Shared login credentials, failure to revoke access for terminated employees, and generic admin accounts are among the most common findings in enforcement actions. Between 2019 and 2024, OCR's enforcement activity repeatedly cited inadequate access controls as a contributing factor in breaches affecting hundreds of thousands of patients.

The fix is straightforward but requires discipline: unique user identification for every workforce member, role-based access aligned with the minimum necessary standard, automatic session timeouts, and documented emergency access procedures.

Encryption: Required or Addressable — and Why It Matters

Healthcare organizations consistently struggle with encryption requirements. Under the Security Rule, encryption is an "addressable" implementation specification — not optional, but requiring a documented risk analysis. If your organization decides not to encrypt ePHI, you must document why and implement an equivalent alternative measure.

In practice, OCR treats unencrypted ePHI as a major liability. Under the Breach Notification Rule (45 CFR §§ 164.400-414), a lost or stolen device containing encrypted PHI is not considered a reportable breach because the data is rendered unusable. An identical device without encryption triggers mandatory breach notification to affected individuals, HHS, and potentially the media.

This single technical safeguard — encryption — can be the difference between a non-event and a six-figure penalty. If your risk analysis hasn't addressed encryption decisions in writing, that gap needs to close immediately.

Audit Controls Most Organizations Underestimate

Section 164.312(b) requires covered entities to implement audit controls — mechanisms that record and examine access and activity in systems containing ePHI. Many organizations install audit logging but never actually review the logs. That's not compliance. OCR expects evidence that your organization actively monitors audit trails to detect unauthorized access.

Effective audit controls include:

  • Automated logging of user access events, including login attempts, file access, and modifications
  • Regular review of audit logs on a defined schedule (weekly or monthly, depending on your risk profile)
  • Alerts triggered by anomalous activity, such as access outside normal business hours or bulk record downloads
  • Retention of audit logs for a minimum of six years, consistent with HIPAA's documentation requirements

Without active monitoring, your organization has audit data but not audit controls. OCR knows the difference.

How Technical Safeguards Connect to Your Risk Analysis

Every technical safeguard decision should flow from your organization's risk analysis, required under 45 CFR § 164.308(a)(1)(ii)(A). The risk analysis identifies threats and vulnerabilities to ePHI; technical safeguards are the mechanisms you deploy to reduce those risks to a reasonable and appropriate level.

If your risk analysis identifies a threat of unauthorized remote access, your technical safeguard response might include VPN requirements, multi-factor authentication, and transmission encryption. If the risk analysis flags the possibility of insider threats, your response should include granular access controls, audit logging with active review, and automatic logoff policies.

Documenting this connection — threat identified, safeguard selected, rationale documented — is what separates organizations that survive an OCR investigation from those that pay penalties.

Training Your Workforce on Technical Safeguard Responsibilities

Technical safeguards aren't just an IT department concern. Every workforce member who accesses ePHI interacts with these controls daily — logging in with unique credentials, locking workstations, recognizing phishing attempts designed to bypass authentication. Your workforce training program must cover these responsibilities explicitly.

Under the Security Rule's administrative safeguard provisions at 45 CFR § 164.308(a)(5), security awareness and training is required for all workforce members. The most effective programs I've seen tie technical safeguard education directly to daily workflows: what to do when a session times out, how to report a suspected access breach, why sharing passwords violates policy and federal law.

If your organization needs a structured approach to meeting this requirement, HIPAA training and certification programs provide workforce-ready education aligned with Security Rule requirements. For a comprehensive platform that covers both technical and administrative safeguard training, HIPAA Certify's workforce compliance solution helps organizations document training completion and maintain audit-ready records.

Take Action Before OCR Does

Understanding which action would be considered a technical safeguard is not an academic exercise — it's the foundation of your Security Rule compliance program. Map every technical safeguard back to your risk analysis. Verify that access controls are enforced at the user level. Confirm that encryption decisions are documented. Review your audit logs, not just collect them.

The organizations that avoid enforcement actions are the ones that treat technical safeguards as an ongoing operational priority, not a one-time IT project. Start with your Notice of Privacy Practices and security policies, verify they reflect your actual technical environment, and close the gaps before your next risk assessment — or your next OCR inquiry.