Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Physical Safeguards

Physical Safeguards


A CE must limit physical access to its electronic information systems and the facilities that store such information by only allowing access to authorized individuals or entities.92 The CE must specify the proper functions of electronic computing devices that have access to or contain e-PHI, and restrict access of those devices to authorized users.93 These restrictions include: 1) access controls, which are technical policies and procedures that allow only authorized persons or software programs to access e-PHI;94 2) audit controls, which are hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI;95 3) integrity controls, which are policies and procedures to protect e-PHI from improper alterations or destruction and adopt electronic measures to confirm that e-PHI has not been improperly altered or destroyed;96 4) authentication controls, which are procedures to confirm that persons or entities seeking access to e-PHI are who they claim to be;97 and 5) transmission controls, which are technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic communications network.98



  • 92. Id. at § 164.310(a).
  • 93. Id. at § 164.310(b)-(c).
  • 94. Id. at § 164.312(a).
  • 95. Id. at § 164.312(b).
  • 96. Id. at § 164.312(c).
  • 97. Id. at § 164.312(d).
  • 98. Id. at § 164.312(e).