Physical Safeguards (§164.310)

Physical safeguards protect the facilities and devices that house ePHI. There are four standards in §164.310.

• §164.310(a) Facility access controls — contingency operations, facility security plan, access control and validation, maintenance records. The cloud-equivalent is the SOC 2 / ISO 27001 attestation from the IaaS provider, augmented by your own controls for any on-prem device.
• §164.310(b) Workstation use — written policies for the use of workstations that access ePHI: where they may be used, what software runs on them, automatic locking.
• §164.310(c) Workstation security — physical safeguards for those workstations: cable locks, secure rooms, screen privacy filters in patient-facing areas.
• §164.310(d) Device and media controls — disposal, media re-use, accountability (a chain-of-custody log for portable media), and data backup and storage.

For pure cloud deployments, the IaaS provider handles the bulk of facility-level safeguards under their BAA. The covered entity or business associate is still responsible for endpoint device security — the CISO whose ePHI lives in AWS still answers for the laptop a developer plugged a USB drive into. Endpoint encryption (FileVault, BitLocker), MDM, and DLP are how engineering teams actually meet §164.310(d).

Technical Safeguards (§164.312)

The technical safeguards are the controls implemented in software and infrastructure. Five standards apply.

1. §164.312(a) Access control — unique user identification (required), emergency access procedure (required), automatic logoff (addressable), encryption and decryption (addressable). In practice: SSO with MFA, break-glass IAM roles, idle-session timeouts, AES-256 at rest.
2. §164.312(b) Audit controls — hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. CloudTrail, Azure Activity Logs, GCP Cloud Audit Logs, plus application-level access logs feeding a SIEM.
3. §164.312(c) Integrity — protection of ePHI from improper alteration or destruction. Database integrity constraints, immutable audit logs, hash-verified backups, write-once-read-many (WORM) storage for retained records.
4. §164.312(d) Person or entity authentication — verifying that a person or entity seeking access is the one claimed. MFA for human access, mTLS or signed JWTs for service-to-service.
5. §164.312(e) Transmission security — integrity controls and encryption for ePHI transmitted over a network. TLS 1.2 minimum (TLS 1.3 strongly preferred), with encryption of data in motion classified as addressable but treated by OCR as effectively required since the 2009 HHS guidance on encryption safe harbour.

The 2009 HHS Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable established that ePHI encrypted to NIST-approved standards is not "unsecured PHI" for breach-notification purposes. This created a strong de facto requirement: encrypt with AES-256 at rest and TLS 1.2+ in transit, and a lost laptop or intercepted message stops being a notifiable breach. Most CISOs treat this as the most valuable single control in the rule.

The Risk Analysis Loop That Holds It All Together

Every safeguard above traces back to the §164.308(a)(1)(ii)(A) risk analysis. The risk analysis identifies what controls you need; §164.308(a)(1)(ii)(B) risk management implements them; §164.308(a)(8) periodic evaluation tests whether they still work; the cycle repeats. A mature HIPAA programme runs this loop annually for the full estate and continuously for high-risk systems.

The output is a documentation package: a current asset inventory of ePHI-containing systems, a threat-and-vulnerability register, a risk register with treatment decisions, evidence that controls are operating, and the periodic-evaluation reports. When OCR opens an investigation, this package is what they ask for first. Organisations that have it pass; organisations that do not, settle.

Mapping Cloud Controls to the Security Rule

Modern AWS, Azure, and GCP services map cleanly onto Security Rule requirements when configured correctly. AWS provides a BAA (it is signed via AWS Artifact, not negotiated separately), and HIPAA-eligible services include EC2, S3, RDS, EKS, Lambda, and dozens more. Azure and GCP offer equivalent BAAs and HIPAA-aligned service catalogues. The compliance gap is rarely in what the cloud provider does — it is in how the customer configures their account: public S3 buckets, IAM users with full admin, RDS instances without encryption, ELBs serving TLS 1.0.

How Opsio Helps

Opsio implements HIPAA Security Rule controls end-to-end on AWS, Azure, and GCP, working alongside compliance officers and CISOs. Our PHI protection services cover the §164.308 administrative-safeguard documentation set, the §164.312 technical control build (encryption, audit logging, access controls, automatic logoff), endpoint and physical-safeguard guidance for §164.310, and the risk analysis that holds the whole programme together. We integrate the engagement with managed detection and response services for continuous monitoring of ePHI environments and with ISO 27001 certification readiness for enterprises for organisations that want a single control framework satisfying both regimes.