The HHS safeguards include both physical and technical policies, including:
- Audits and logs for both software and hardware
- Unique user IDS, encryption and emergency access procedures
- Conditions around disposing or removing electronic media
- Use of workstations and electronic media
- Facility control and access.
Personal Health Information (PHI) or electronic PHI (ePHI) must not be altered or destroyed. Covered entities must ensure they have offsite backup and disaster recovery policies and procedures in place. They must also be sure to have transmission and network security in place to avoid unauthorized access to ePHI.
A supplemental act, The Health Information Technology for Economic and Clinical Health Act (HITECH) can enforce penalties on any health organizations that violate HIPAA. It was created to help regulate and enforce HIPAA policy in the area of electronic health information technology. In 2019 the average penalty was $1.2 Million, indicating the size and severity of infractions exposed by the HHS.