Under HIPAA, what must covered entities do to safeguard ePHI?

Covered entities must implement physical, administrative, and technical safeguards to protect electronic protected health information (ePHI) as mandated by HIPAA. This requirement encompasses a comprehensive approach to security, ensuring that ePHI is secured against potential breaches or unauthorized access.

Physical safeguards involve securing the physical locations and devices that store ePHI, such as ensuring that servers are housed in locked facilities and that workstations are secured when not in use. Administrative safeguards focus on policies and procedures that govern the management of ePHI, such as training employees on privacy and security practices and establishing procedures for reporting breaches. Technical safeguards emphasize the use of technology to protect ePHI, including encryption, access controls, and audit controls to monitor access and use of ePHI.

The other options either represent incomplete measures or ineffective approaches to safeguarding ePHI. Encrypting ePHI only when sent to third parties is insufficient, as ePHI must also be protected at rest and during internal processes. Storing all ePHI on paper files does not align with the digital nature of ePHI and ignores the requirement for digital protection standards. Limiting access only to top management does not ensure that appropriate access levels are adhered to according to job functions, which could lead