HIPAA

HIPAA Security Rule

The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.
Browse HIPAA topics
Business Associate Agreements (BAA)HIPAA Breach Notification RuleHIPAA Compliance ChecklistHIPAA Privacy RuleHIPAA Security Rule

What is the HIPAA Security Rule?

The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) sets the national floor for protecting electronic protected health information (ePHI). While the HIPAA Privacy Rule covers all forms of PHI, the Security Rule focuses exclusively on ePHI — any protected health information that is created, received, maintained, or transmitted in electronic form.

Every covered entity and business associate that handles ePHI must implement a set of safeguards designed to ensure the confidentiality, integrity, and availability of that data. The rule is intentionally flexible: it recognizes that a two-person dental practice faces different risks than a national hospital chain, so it allows organizations to choose how they meet each standard based on their size, complexity, and risk profile.

For a broader overview of HIPAA compliance requirements, see the main framework page. You can also review the HIPAA glossary entry for foundational definitions.

The three safeguard categories

Administrative safeguards

Administrative safeguards are the policies, procedures, and organizational measures that manage the selection, development, and implementation of security controls. They typically consume the most time and resources because they touch every part of the organization.

Key standards within administrative safeguards include:

  • Security management process — conduct a thorough risk analysis, implement risk management measures, apply sanctions for policy violations, and review information system activity regularly.
  • Assigned security responsibility — designate a single security official accountable for developing and implementing security policies. This person does not need to perform every task, but they must own the program.
  • Workforce security — establish procedures for authorizing access, supervising workforce members who interact with ePHI, and terminating access when employment ends.
  • Information access management — implement policies that grant access to ePHI only when a workforce member's role requires it. This aligns closely with the Privacy Rule's minimum necessary standard.
  • Security awareness and training — deliver periodic training on password management, malicious software protection, log-in monitoring, and security reminders.
  • Contingency planning — maintain a data backup plan, disaster recovery plan, and emergency mode operation plan. Test and revise these plans on a defined schedule.
  • Evaluation — perform periodic technical and non-technical evaluations in response to environmental or operational changes.

Physical safeguards

Physical safeguards protect the electronic systems, equipment, and buildings that house ePHI from unauthorized physical access, tampering, and natural hazards.

Key standards include:

  • Facility access controls — implement policies governing who may physically enter areas where ePHI systems reside. This covers contingency operations, facility security plans, access control and validation procedures, and maintenance records.
  • Workstation use — define the functions performed at each workstation and the physical attributes of its surroundings that protect ePHI. A laptop used in a public coffee shop carries different risks than a desktop inside a locked server room.
  • Workstation security — implement physical safeguards for all workstations that access ePHI, restricting access to authorized users only.
  • Device and media controls — govern the receipt, removal, backup, storage, reuse, and disposal of hardware and electronic media containing ePHI. This includes maintaining records of device movements and creating retrievable exact copies of ePHI before equipment is moved.

Technical safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it. These are the controls most familiar to engineering and IT teams.

Key standards include:

  • Access control — implement technical measures allowing only authorized persons to access ePHI. This includes unique user identification, emergency access procedures, automatic logoff, and encryption and decryption mechanisms.
  • Audit controls — deploy hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.
  • Integrity — protect ePHI from improper alteration or destruction, including mechanisms to authenticate that data has not been changed without authorization.
  • Person or entity authentication — verify that any person or entity seeking access to ePHI is who they claim to be.
  • Transmission security — guard against unauthorized access to ePHI during electronic transmission, including integrity controls and encryption.

Required vs addressable specifications

One of the most misunderstood aspects of the Security Rule is the distinction between required and addressable implementation specifications.

Required specifications

A required specification must be implemented exactly as described. There is no flexibility. Examples include conducting a risk analysis, assigning a security official, and implementing audit controls. If a standard has a required specification, the organization must put it in place — period.

Addressable specifications

An addressable specification does not mean optional. Instead, the organization must perform a documented assessment to determine whether the specification is a reasonable and appropriate safeguard in its environment. There are three possible outcomes:

  1. Implement the specification as written — if the assessment concludes the specification is reasonable and appropriate, implement it.
  2. Implement an equivalent alternative — if the specification is not reasonable and appropriate but the underlying standard still needs to be met, implement an alternative measure that achieves the same protective purpose and document the rationale.
  3. Do not implement — if the specification is not reasonable and appropriate and the standard can be met without it, document the rationale and the factors considered.

The critical requirement is documentation. Regardless of the path chosen, the organization must maintain written records of its analysis and decision. Auditors and the HHS Office for Civil Rights expect to see evidence of thoughtful evaluation, not blanket dismissals.

Risk analysis: the foundation of compliance

The Security Rule's risk analysis requirement underpins the entire program. A compliant risk analysis should identify all systems that handle ePHI, document anticipated threats and vulnerabilities, assess current security measures, determine likelihood and impact of threats, assign risk levels, and prioritize remediation. Every step must be documented.

Risk analysis is not a one-time activity. Organizations must review and update their analysis in response to environmental or operational changes, new threats, and security incidents.

Organizational requirements

Covered entities must obtain satisfactory assurances from their business associates — typically through a Business Associate Agreement (BAA) — that the associate will appropriately safeguard ePHI. Business associates are directly liable for Security Rule compliance under the HITECH Act.

Common Security Rule gaps

Organizations preparing for audits frequently discover recurring gaps:

  • Incomplete or outdated risk analysis — the single most cited deficiency in HHS enforcement actions.
  • Lack of encryption — organizations that skip encryption must document an equivalent alternative, and many cannot.
  • Missing audit logs — logging capability alone is insufficient if no one reviews the output.
  • Inadequate access management — role changes and departures create orphaned accounts with unnecessary ePHI access.
  • No contingency testing — an untested disaster recovery plan provides little real protection.

For healthcare organizations building their Security Rule program, the HIPAA compliance checklist provides a structured walkthrough of every major requirement.

Enforcement and penalties

The HHS Office for Civil Rights (OCR) enforces the Security Rule through complaint investigations, compliance reviews, and audits. Penalties range from $100 to $50,000 per violation with annual maximums of $1.5 million per category. Criminal violations can result in fines up to $250,000 and imprisonment.

Related topics

privacy-rulebreach-notificationbusiness-associate-agreementscompliance-checklist

Related terms

What is Access Control?What is an Audit Trail?What is a Business Associate Agreement (BAA)?What is Breach Notification?What is a Business Associate?What is a Covered Entity?What is Encryption?What is Evidence Collection?What is GRC?What is HIPAA?What is the HITECH Act?What is Incident Response?What is the Minimum Necessary Rule?What is Protected Health Information (PHI)?What is Security Awareness Training?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough