Phase 3: Technical & Physical Safeguards Implementation
This is the most technically intensive phase. You will implement the technical and physical safeguards identified in the Risk Management Plan: encryption, access controls, audit logging, network segmentation, physical security, backup and recovery, and all other controls required to protect ePHI. This phase requires close collaboration between the compliance team and IT/facilities staff. Focus on addressing Critical and High risks first, then work down the priority list.
🎯 Objectives
- ✓ Implement encryption for ePHI at rest and in transit across all identified systems
- ✓ Deploy role-based access controls and unique user identification on all ePHI systems
- ✓ Implement comprehensive audit logging and monitoring capabilities
- ✓ Establish physical access controls for facilities housing ePHI systems
- ✓ Implement workstation security measures including automatic logoff and device encryption
- ✓ Deploy backup and disaster recovery capabilities meeting HIPAA requirements
- ✓ Establish network segmentation and perimeter security for ePHI environments
Encryption Implementation
🎓 Beginner's Note
Encryption is your single most important technical control. If you can only implement one thing, implement encryption. It protects data from theft (encrypted laptop = no breach), it satisfies the Breach Notification safe harbor, and it addresses one of OCR's most common findings. AES-256 is the gold standard algorithm. TLS 1.2 or higher is required for data in transit.
💡 Consultant Tips
- ● Start with encryption in transit (TLS/VPN) as it is usually faster to implement and addresses a common attack vector
- ● For database encryption, TDE (Transparent Data Encryption) is the easiest path for SQL Server and Oracle — it encrypts the entire database at the storage level with minimal performance impact
- ● Implement key management procedures — encryption is only as strong as your key management. Store keys separately from encrypted data
- ● Test encryption implementations thoroughly in a staging environment before production deployment — encryption can break applications that are not designed for it
- ● Document all encryption implementations, algorithms used (AES-256 recommended), and key management procedures
- ● Remember: encrypted ePHI that is breached is NOT reportable under the Breach Notification Rule — this is the HIPAA safe harbor
Access Control and Identity Management
🎓 Beginner's Note
Think of access control as building a series of locked doors. Every person gets a unique key (unique user ID), the key only opens the doors they need (RBAC), they must prove they are who they say they are (MFA), the door locks automatically behind them (auto-logoff), and every time a door is opened, it is recorded (audit log). Break-glass is the fire alarm that opens all doors in an emergency but triggers an alarm.
💡 Consultant Tips
- ● Audit every system for shared accounts and generic logins (admin, nurse1, frontdesk) — each must be replaced with individual accounts
- ● Define RBAC roles based on job functions and map them to specific data access levels in each ePHI system
- ● Implement MFA for: all remote access, VPN connections, administrative accounts, patient portal administration, and cloud service administration
- ● Configure automatic session timeout on all ePHI systems: 2-5 minutes for clinical workstations in public areas, up to 15 minutes for secure offices
- ● Create a documented break-glass procedure for emergency access with logging and post-event review requirements
Audit Logging and Monitoring
🎓 Beginner's Note
Logging without review is like having a security camera that nobody watches. You must both implement the logs AND regularly review them. Many HIPAA breaches are discovered months or years after they occurred because nobody was reviewing access logs. Start with automated alerts for the highest-risk events and build out from there.
💡 Consultant Tips
- ● Define what constitutes 'normal' access patterns for each role so you can identify anomalies (e.g., a billing clerk accessing 500 records in one day is abnormal)
- ● Set up automated alerts for high-risk events: multiple failed logins, after-hours access, bulk data exports, access to VIP patient records
- ● Ensure audit logs cannot be modified or deleted by the users being audited — store logs on a separate system or use write-once storage
- ● Establish a log review schedule: automated daily alert review, weekly summary review, monthly detailed analysis
- ● Retain all audit logs for at least 6 years to meet HIPAA documentation requirements
- ● For databases, implement both application-level audit logging (who used the EHR to view records) and database-level audit logging (what SQL queries hit the database)
Physical Security Implementation
🎓 Beginner's Note
Physical security is often overlooked in favor of technical controls, but some of the largest HIPAA fines have resulted from physical security failures: stolen unencrypted laptops, paper records in dumpsters, and unauthorized access to server rooms. Walk through the facility and look at everything with fresh eyes: Can you see patient information on screens from the waiting room? Is the server room unlocked? Are paper records left on printers?
💡 Consultant Tips
- ● Prioritize server rooms and data centers — these must have the highest level of physical access control with access logging
- ● Install privacy screen filters on all monitors in public-facing areas (registration desks, nursing stations in hallways)
- ● Implement a clean desk policy: no PHI visible on desks, all paper records secured when unattended
- ● Establish visitor management procedures for all areas containing ePHI systems
- ● Implement secure disposal: paper shredding (cross-cut, not strip-cut), hard drive degaussing or physical destruction, and certificates of destruction from vendors
Backup, Recovery, and Contingency Implementation
🎓 Beginner's Note
The contingency plan answers the question: 'What happens when everything goes wrong?' If the database crashes, if the building floods, if ransomware encrypts everything — how does the organization recover? Your database backup strategy is the core of this plan. Make sure backups are automatic, encrypted, stored offsite, and regularly tested.
💡 Consultant Tips
- ● Follow the 3-2-1 backup rule: 3 copies of data, on 2 different media types, with 1 copy offsite
- ● All backups containing ePHI must be encrypted — an unencrypted backup is a breach waiting to happen
- ● Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system in consultation with clinical leadership
- ● Test backup restoration regularly — a backup that cannot be restored is not a backup. Conduct quarterly restoration tests at minimum
- ● Document emergency mode operations procedures: how does the organization continue to provide care if the EHR is down for 24 hours? 72 hours?
Network Security and Segmentation
🎓 Beginner's Note
Network segmentation means putting ePHI systems behind additional security boundaries so that even if an attacker compromises a general office computer, they cannot easily reach the patient database. Think of it as having a secure vault inside a secure building — multiple layers of protection.
💡 Consultant Tips
- ● Segment the network so that ePHI systems are on dedicated VLANs with firewall rules controlling access between segments
- ● Implement a vulnerability management program: monthly vulnerability scans, quarterly penetration tests (or at least annually), and timely patching
- ● Secure wireless networks: WPA3 or WPA2-Enterprise with certificate-based authentication for networks accessing ePHI, separate guest wireless with no access to internal networks
- ● Deploy endpoint protection (anti-malware, EDR) on all systems that access ePHI
- ● Disable unnecessary services and ports on all ePHI systems — reduce the attack surface