45 C.F.R. § 164.312

Technical safeguards

Read at: eCFRecfr.gov CornellLII GovInfogovinfo.gov CasesGoogle Scholar

A covered entity or business associate must, in accordance with § 164.306:

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

(2) Implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

[68 FR 8376, Feb. 20, 2003, as amended at 78 FR 5694, Jan. 25, 2013]
Notes of Decisions
Cited in 8 cases (3 in the last 5 years), 2015–2025 · leading case: United States Ex Rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016).
United States Ex Rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016). · cites it 3× “During Stage 2, providers are additionally required to “address[] the encryption/security-of data stored in Certified EHR Technology in accordance with requirements under” 45 C.F.R. §§ 164.312 (a)(2)(iv) and 164.306(d)(3).”
Sheldon v. Kettering Health Network, 2015 Ohio 3268 (Ohio Ct. App. 2015). “We note that 45 C.F.R. § 164.312 (b) provides for a hospital to “[i]mplement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Weinberg v. Advanced Data Processing, Inc., 147 F. Supp. 3d 1359 (S.D. Fla. 2015). “306 (a)(1); Failing to implement technical policies and procedures for electronic information systems that maintain electronically protected health information to allow ac--eess only to those persons or software programs that have been granted access rights in violation of 45…”
Gilbert v. Highland Hosp., 52 Misc. 3d 555 (N.Y. Sup. Ct. 2016). “) Both federal and New York law require that any medical provider who maintains electronic records must also maintain an audit trail (see 45 CFR 164.312; 10 NYCRR 405.10). The plaintiff has sought discovery of the audit trail because the medical records produced thus far do not…”
MD Anderson v. HHS (5th Cir. 2021). “45 C.F.R. §§ 164.312 (a)(2)(iv), 164.306(d) (the “Encryption Rule”).”
Wallace v. Nuvance Health (S.D.N.Y. 2021). “, 45 C.F.R. § 164.312 (requiring covered entities to implement “technical policies and procedures for electronic information systems that maintain protected health information to allow access only to those persons or software programs that have been granted access.”
Negron v. Ascension Health (E.D. Mo. 2025). “45 C.F.R. § 164.312 (a)(1). Ascension’s HIPAA Notice of Privacy Practices states in pertinent part: Our Commitment We are committed to maintaining the privacy and confidentiality of your health information.”
Vargas v. Lee, 2019 NY Slip Op 2142 (N.Y. App. Div. 2019). “Hospitals are required to maintain audit trails under federal and state law ( see 45 CFR 164.312[b]; 10 NYCRR 405.10[c][4][v]).”
— 45 C.F.R. § 164.312(a)(2)(iv) — 1 case
United States Ex Rel. Sheldon v. Kettering Health Network, 816 F.3d 399 (6th Cir. 2016). “During Stage 2, providers are additionally required to “address[] the encryption/security-of data stored in Certified EHR Technology in accordance with requirements under” 45 C.F.R. §§ 164.312 (a)(2)(iv) and 164.306(d)(3).”
Annotations are extracted automatically from the opinions in the Syfert caselaw corpus and ranked by authority, recency, and treatment. Dots show Syfertize treatment of the citing case itself.