The HIPAA Security Rule is a federal regulation that sets standards for protecting electronic health information. Specifically, it requires healthcare organizations and their partners to put administrative, physical, and technical safeguards in place to keep electronic protected health information (ePHI) secure. If your medical records exist in a computer system, an email, or a cloud database, the Security Rule governs how those systems must be protected from unauthorized access, alteration, or destruction.
The rule was published by the U.S. Department of Health and Human Services (HHS) and applies to every organization that handles electronic health data in a covered capacity. It doesn’t tell organizations exactly which technologies to use. Instead, it sets a framework of standards and lets each organization decide how to meet them based on its size, complexity, and risk environment.
Who Must Comply
The Security Rule applies to two categories: covered entities and business associates. Covered entities include health care providers (doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies), health plans (insurance companies, HMOs, employer-sponsored plans, Medicare, Medicaid, military and veterans health programs), and health care clearinghouses, which are organizations that convert nonstandard health data into standard electronic formats. Providers are covered only if they transmit health information electronically in connection with a standard transaction, such as billing or claims.
Business associates are companies or individuals that handle ePHI on behalf of a covered entity. Think: a cloud storage vendor hosting patient records, an IT firm managing a clinic’s servers, or a billing company processing claims. Any business associate must sign a written contract with the covered entity agreeing to follow the Security Rule’s requirements. Business associates are also directly liable for compliance, not just contractually obligated.
How It Differs From the Privacy Rule
People often confuse the Security Rule with the HIPAA Privacy Rule, but they address different problems. The Privacy Rule governs when and how protected health information can be used or shared. It covers all forms of health data: paper, verbal, electronic. It answers questions like “Can my doctor share my records with a specialist without asking me first?”
The Security Rule is narrower in scope but more technical. It applies only to electronic health information and focuses on the controls organizations must have in place to protect that data: passwords, encryption, access logs, physical locks on server rooms. The Security Rule is essentially the enforcement mechanism that makes the Privacy Rule’s promises possible in digital systems.
The Three Safeguard Categories
The Security Rule organizes its requirements into three categories: administrative, physical, and technical safeguards. Each category contains a set of standards, and each standard has implementation specifications that are either “required” or “addressable.” Together, they form a comprehensive security framework.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and personnel decisions that form the backbone of a security program. The Security Rule lists nine standards in this category, making it the largest of the three. These include conducting a risk analysis to identify threats to ePHI, designating a specific security official responsible for the organization’s security program, implementing workforce security policies so employees only access the data they need, running security awareness training for all staff (including management), creating incident response procedures for when something goes wrong, and maintaining a contingency plan for emergencies like fires, natural disasters, or system failures.
Organizations must also periodically evaluate whether their security measures still meet the rule’s requirements, especially after operational or environmental changes. And any arrangement with a business associate must be formalized in a written contract that spells out security obligations.
Physical Safeguards
Physical safeguards protect the actual buildings, equipment, and devices where ePHI lives. The rule requires four standards here. Facility access controls limit who can physically enter spaces that house electronic systems, including visitor management and role-based access. Workstation use and workstation security standards require organizations to define how workstations with access to ePHI should be used and to physically restrict access to authorized users only.
Device and media controls govern what happens when hardware or storage media moves into, out of, or within a facility. This includes two required specifications: proper disposal of ePHI when hardware is retired, and wiping electronic media before reuse. Organizations should also track the movement of devices and maintain records of who is responsible for them.
Technical Safeguards
Technical safeguards are the technology-based protections built into the systems themselves. The rule defines five standards:
- Access control: Systems must allow access only to people or software programs that have been granted specific access rights.
- Audit controls: Organizations must implement mechanisms that record and examine activity in systems containing ePHI, creating a trail that can reveal unauthorized access.
- Integrity controls: Policies and procedures must protect ePHI from being improperly altered or destroyed.
- Authentication: Systems must verify that anyone seeking access to ePHI is actually who they claim to be.
- Transmission security: Technical measures must guard against unauthorized access to ePHI while it’s being sent over a network.
Encryption is a common tool for meeting both the integrity and transmission security standards, though the rule doesn’t mandate any single technology.
Required vs. Addressable Specifications
One of the most misunderstood parts of the Security Rule is the distinction between “required” and “addressable” implementation specifications. Required specifications are straightforward: you must implement them, no exceptions. Addressable specifications offer more flexibility, but “addressable” does not mean “optional.”
When facing an addressable specification, an organization must assess whether it’s a reasonable and appropriate measure given its specific environment. If it is, the organization must implement it. If it isn’t, the organization must either implement an equivalent alternative that accomplishes the same goal or document why neither the specification nor any alternative is necessary. That decision must be put in writing, including the factors considered and the risk assessment that informed it. This flexibility was designed so that a two-person dental practice isn’t held to the exact same technical setup as a large hospital system, while still ensuring both adequately protect patient data.
Risk Analysis: The Foundation of Compliance
If there’s one requirement that anchors the entire Security Rule, it’s the risk analysis. Every covered entity and business associate must conduct an accurate, thorough assessment of the risks to their ePHI. HHS doesn’t prescribe a specific methodology, but it outlines a general process adapted from the National Institute of Standards and Technology: identify the scope of the analysis, gather data on where ePHI is stored and how it moves, document potential threats and vulnerabilities, assess existing security measures, estimate the likelihood and impact of each threat, determine the overall level of risk, and then identify what additional security measures are needed.
The risk analysis must be documented, though there’s no required format. It also isn’t a one-time exercise. Organizations need to revisit it periodically and whenever significant changes occur, such as adopting new technology, expanding to a new location, or experiencing a security incident. Failing to conduct a risk analysis is one of the most common compliance failures that HHS investigators find. According to cumulative enforcement data from HHS, lack of administrative safeguards for ePHI (which includes risk analysis failures) ranks among the top five most frequently alleged compliance issues in HIPAA complaints.
What Happens When Organizations Fall Short
The HHS Office for Civil Rights (OCR) enforces the Security Rule through complaint investigations, compliance reviews, and audits. The most common compliance problems OCR encounters aren’t exotic cyberattacks. They’re basic failures: organizations not safeguarding health information, not giving patients access to their records, not limiting data sharing to the minimum necessary, and not having administrative safeguards in place for electronic data.
Penalties range from corrective action plans to financial settlements that can reach millions of dollars, depending on the severity and whether the organization showed willful neglect. In practice, many enforcement actions stem from data breaches that reveal underlying compliance gaps, like the lack of a risk analysis or the absence of encryption on portable devices. The breach itself may be what draws attention, but the investigation often uncovers systemic issues that existed long before the incident.
For organizations working toward compliance, NIST publishes a cybersecurity resource guide (Special Publication 800-66) that maps the Security Rule’s standards and specifications to the NIST Cybersecurity Framework and specific security controls. It’s a practical tool for translating the rule’s broad requirements into concrete technical steps.