HIPAA Technical Safeguards Checklist

Important: This checklist is for educational purposes. Implementation should be validated by qualified compliance and technical professionals. Anexio can provide the managed technology and documentation to meet these requirements.

1. Access Control (§164.312(a))

Unique User Identification: Assign unique IDs to every workforce member with ePHI access.
Emergency Access Procedure: Documented “break-glass” process with full audit logging.
Automatic Logoff: Systems must terminate sessions after 5–15 minutes of inactivity.
Encryption of ePHI at Rest: AES-256 or equivalent on all devices and storage containing ePHI.

2. Audit Controls (§164.312(b))

Mechanisms to record and examine all access, modification, and deletion of ePHI.
Logs retained for minimum 6 years (or longer per state law).
Regular (at least monthly) review of security logs for anomalies.

3. Integrity (§164.312(c))

Technical measures (hashing, digital signatures) to ensure ePHI is not improperly altered.
Verified backup and recovery processes.

4. Person or Entity Authentication (§164.312(d))

Multi-factor authentication required for all remote access and privileged accounts.
Strong password policy (minimum 12 characters, complexity, 90-day rotation).

5. Transmission Security (§164.312(e))

Encryption of ePHI in transit (TLS 1.2 or higher).
Secure methods for email and file exchange containing PHI (encrypted portals preferred).

How Anexio Helps

We deploy, monitor, and document these controls within our compliance-first platform. This includes 24/7 MDR, immutable backups, automated logging, quarterly testing, and auditor-ready evidence packages. Results vary by environment; we customize to your specific risk profile and workflow.