HIPAA Security Rule Explained
Quick Answer
The HIPAA Security Rule establishes national standards requiring covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI).
HIPAA Security Rule Overview
The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) specifically focuses on protecting electronic Protected Health Information (ePHI). While the Privacy Rule covers all forms of PHI, the Security Rule addresses the specific risks of electronic data and requires three categories of safeguards: administrative, physical, and technical.
Key Takeaways
- The Security Rule applies specifically to ePHI (electronic Protected Health Information)
- Three safeguard categories: administrative (people/processes), physical (facilities/devices), technical (technology)
- Safeguards are classified as "required" or "addressable" — addressable does NOT mean optional
- Risk assessment is the cornerstone — all other safeguards flow from risk analysis results
- The Security Rule is technology-neutral — it specifies what to achieve, not which tools to use
Understanding Required vs Addressable
❗ "Addressable" Does Not Mean Optional
HIPAA classifies safeguards as either Required (R) or Addressable (A). "Addressable" means you must assess whether the safeguard is reasonable and appropriate for your environment. If it is, you must implement it. If it's not, you must document why and implement an equivalent alternative measure. You cannot simply skip addressable safeguards.
Administrative Safeguards
Administrative safeguards are policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. They account for more than half of the Security Rule's requirements.
| Standard | Key Requirements | Type |
|---|---|---|
| Security Management Process | Risk analysis, risk management, sanction policy, information system activity review | R |
| Assigned Security Responsibility | Designate a security official responsible for policies and procedures | R |
| Workforce Security | Authorization/supervision procedures, workforce clearance, termination procedures | A |
| Information Access Management | Access authorization, access establishment/modification, isolating healthcare clearinghouse functions | R/A |
| Security Awareness and Training | Security reminders, malware protection, login monitoring, password management | A |
| Security Incident Procedures | Response and reporting procedures for security incidents | R |
| Contingency Plan | Data backup, disaster recovery, emergency mode operations, testing, applications/data criticality analysis | R/A |
| Evaluation | Periodic technical and non-technical evaluation of security | R |
| Business Associate Contracts | Satisfactory assurances from business associates | R |
Physical Safeguards
| Standard | Key Requirements | Type |
|---|---|---|
| Facility Access Controls | Contingency operations, facility security plan, access control/validation, maintenance records | A |
| Workstation Use | Policies for workstation use and physical environment | R |
| Workstation Security | Physical safeguards restricting access to workstations | R |
| Device and Media Controls | Disposal, media re-use, accountability, data backup and storage | R/A |
Technical Safeguards
| Standard | Key Requirements | Type |
|---|---|---|
| Access Control | Unique user identification (R), emergency access (R), automatic logoff (A), encryption and decryption (A) | R/A |
| Audit Controls | Mechanisms to record and examine access to systems containing ePHI | R |
| Integrity | Mechanisms to authenticate ePHI, protect from improper alteration/destruction | A |
| Person or Entity Authentication | Verify identity of persons/entities seeking access to ePHI | R |
| Transmission Security | Integrity controls (A), encryption (A) for ePHI transmitted over electronic networks | A |
Implementation Priorities
Security Rule Implementation Order
Start with risk assessment, then build out safeguards based on identified risks
1. Risk Analysis
Identify threats, vulnerabilities, and risks to ePHI
2. Risk Management
Implement measures to reduce risks to reasonable levels
3. Policies & Training
Document safeguards and train workforce
4. Technical Controls
Deploy access controls, encryption, audit logging
5. Ongoing Monitoring
Review, evaluate, and update safeguards regularly
Does the Security Rule require encryption?
Encryption is classified as "addressable" under the Security Rule. This means you must assess whether encryption is reasonable and appropriate for your environment. In virtually all modern technology contexts, encryption (at rest and in transit) is considered reasonable and appropriate. Not encrypting ePHI requires documented justification and an equivalent alternative — which is extremely rare in practice.
Does the Security Rule require specific technologies?
No. The Security Rule is technology-neutral. It specifies what safeguards you must achieve but doesn't mandate specific products, platforms, or technologies. This allows organizations to choose solutions appropriate for their size, complexity, and budget.
How often must technical safeguards be evaluated?
The Security Rule requires periodic evaluation but doesn't specify exact frequency. Best practice is to evaluate technical safeguards at least annually, and whenever significant changes occur in your environment (new systems, organizational changes, or after a security incident).
What's the penalty for violating the Security Rule specifically?
Security Rule violations follow the same HIPAA penalty structure: $100-$50,000 per violation depending on the level of knowledge/neglect, with annual maximums of $25,000-$1.9 million per violation category. OCR can also require corrective action plans and monitoring.
Implement HIPAA Security Safeguards
Find tools to help you implement and monitor HIPAA Security Rule requirements.
Browse HIPAA Security Tools