25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

The Use of Technology and HIPAA Compliance

Posted By on Jan 14, 2026

The use of technology and HIPAA compliance has become an increasingly complex subject due to the rapid adoption of technology in the health care and health insurance industries over the past twenty five years. The evolving nature of HIPAA compliant healthcare technology and the ever-changing threat landscape are also factors that can impact HIPAA compliance.

At the time HIPAA was passed in 1996, healthcare IT was very different from what it is today. The passage of HIPAA coincided with the launch of the first webmail service (Hotmail), the dot.com bubble was yet to burst, the first AWS web services were still six years into the future, and it would be more than ten years until the iPhone became available. For reference, Gmail did not come out of “beta” until 2009.

Acknowledging the emergence of new technologies, the Department of Health and Human Services (HHS) designed the HIPAA Security Rule to be “technology neutral”. Discussing the rationale for this in what was effectively the first legal guidelines on the appropriate use of technology in healthcare, HHS explained that the neutrality and flexibility of approach facilitated changes as and when necessary, adding:

“The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete”. Source: CMS’ Security 101 for Covered Entities

The foresight to make the HIPAA Security Rule technology neutral eliminated the need to amend the security standards to account for advancements in healthcare IT. Indeed, since the publication of the Final HIPAA Security Rule in 2003, the only changes to the security standards have been to accommodate the HIPAA Omnibus Rule in 2013.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The Requirements for HIPAA Compliant Technology

The requirements for HIPAA compliant technology apply when technology is used by a HIPAA covered entity or business associate to create, receive, store, or transmit electronic Protected Health Information (ePHI). The requirements not only cover responsibility for HIPAA compliance, but also the capabilities of the technology, how the technology is configured to support HIPAA compliance, and how it is used by workforce members.

Compliance with the HIPAA Technology Requirements

With regards to the use of technology and HIPAA compliance, the responsibility for complying with the HIPAA technology requirements varies depending on whether the technology is developed in-house by a covered entity, or acquired from a third party vendor via subscription. In the former case, the covered entity is responsible for complying with all HIPAA technology requirements including the physical safeguards for the environment in which the technology is stored.

In the latter case, compliance with the HIPAA IT requirements is divided between the covered entity and the vendor according to the vendor’s shared responsibility model. Depending on the division of responsibilities and the terms of the Business Associate Agreement, this may mean the vendor is responsible for some administrative safeguards such as data backup, disaster recovery, and emergency mode operation. The vendor will also be responsible for workforce compliance training at their end.

The Capabilities Required for HIPAA Compliance

Regardless of the division of responsibilities, technologies must have certain capabilities to support HIPAA compliance. These capabilities include (but are not limited to):

  • The ability to assign unique user IDs to control and monitor access to systems containing ePHI.
  • Emergency access capabilities to allow authorized access to ePHI during emergency events.
  • Automatic log-off to disconnect users from systems containing ePHI after a period of inactivity.
  • The ability to encrypt ePHI at rest and in transit to the minimum standards required by NIST.
  • Audit and integrity controls to ensure ePHI is not improperly accessed, altered, or destroyed.
  • The ability to implement user authentication procedures such as MFA and biometric identification.

Not only must technologies include these capabilities to support HIPAA compliance, but they must also be configured so the technologies are used in a HIPAA compliant manner. This may involve connecting technologies via an encrypted VPN, activating automatic log-off policies, disabling third party software integrations, encrypting emails by default, and/or enforcing MFA or biometric identification for users with access to cloud storage volumes.

HIPAA Compliance Technology Training

Even though technologies may be designed and configured to support HIPAA compliance, it is how the technology is used that determines compliance. In order to increase the likelihood technologies are used in compliance with HIPAA, it is necessary to provide HIPAA compliance technology training to all members of the workforce who will use the technologies and to all members of the IT department responsible for configurating them.

HIPAA IT compliance is important because it is sometimes overlooked that the administrative, physical, and technical safeguards of the HIPAA Security Rule must be implemented “in accordance with §164.306” – the Security Rule’s General Requirements. This means that any measures implemented by the IT department must be implemented to “protect against any reasonably anticipated uses or disclosures of PHI not permitted by the HIPAA Privacy Rule”, rather than just to tick the box of HIPAA compliance.

With regards to the nature of workforce HIPAA compliance technology training, this will depend on what technologies are being introduced and whether they replace existing technologies. For example, if a healthcare organization is replacing an existing HIPAA compliant email system with an updated system, workforce members only need to receive training on any capabilities that are different from the existing system rather than all the capabilities of the new system.

The Ten Steps To HIPAA Compliance - The Use of Technology and HIPAA Compliance

The Use of Technology and HIPAA Compliance Looking Forward

Although the HIPAA Security Rule and the legal guidelines on the appropriate use of technology in healthcare have remained virtually the same over the past twenty years, this may be about to change. In January 2025, HHS published proposals to “strengthen the cybersecurity of electronic protected health information” which, if finalized, will make significant changes to the use of technology and HIPAA compliance in the future.

Concerned about the evolving nature of HIPAA compliant healthcare technologies and the inconsistent approach to HIPAA compliance by covered entities, HHS’ proposals include tighter definitions of key terms to remove ambiguity about their meaning, abolishing “addressable implementation specifications” (thereby making all implementation specifications “required”), and the introduction of new standards to closer align the HIPAA Security Rule with the HPH Cybersecurity Performance Goals announced in January 2024.

The new standards also aim to reverse the “rampant escalation of cyberattacks using hacking and ransomware” that target electronic medical devices and other connected technologies. With it being clear that the current requirements for HIPAA compliant technology are failing to cope with the ever-changing threat landscape, HHS is proposing that HIPAA covered entities:

  • Develop a technology asset inventory to map the movement of all ePHI through the organization.
  • Conduct a compliance audit at least annually to ensure compliance with the requirements for HIPAA compliant technology.
  • Deploy technical controls for configuring information systems and disabling network ports in a consistent manner.
  • Conduct vulnerability scans at least every six months and penetration tests at least every twelve months.
  • Segregate networks where possible without disrupting the flow of information, and use separate systems for backups and recoveries of ePHI.

Covered Entities and business associates who are concerned that the proposals may impact their use of technology and HIPAA compliance are advised to seek independent compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist