The HIPAA Security Rule is the standard that governs the safeguarding of electronic protected health information (ePHI). Codified in federal regulations at 45 CFR Parts 160 and 164, this rule was established in February 2003 under the Health Insurance Portability and Accountability Act of 1996 and later strengthened by the HITECH Act of 2009. It applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) as well as their business associates.
The Security Rule is built around three goals: protecting the confidentiality, integrity, and availability of all ePHI that an organization creates, receives, maintains, or transmits. It does this through three categories of safeguards: administrative, physical, and technical.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and workforce management practices that form the backbone of ePHI protection. The most critical requirement here is the risk analysis. Every regulated entity must perform an accurate and thorough assessment of potential risks and vulnerabilities to ePHI, then implement security measures that reduce those risks to a reasonable and appropriate level.
A compliant risk analysis has several required elements. You need to identify everywhere ePHI is stored, received, maintained, or transmitted. You must document reasonably anticipated threats and vulnerabilities, assess the security measures already in place, determine the likelihood and potential impact of each threat, assign risk levels, and document the entire process. The Security Rule doesn’t mandate a specific format for this documentation, but the analysis itself is non-negotiable.
Beyond risk analysis, administrative safeguards also require workforce security policies ensuring that employees who work with ePHI have appropriate authorization, supervision, and access levels. Information access management ties directly to the Privacy Rule’s “minimum necessary” principle: access to ePHI should only be granted when it’s appropriate for the user’s role.
Physical Safeguards
Physical safeguards address the tangible environment where ePHI lives. Workstation security requires physical protections on all workstations that access ePHI, restricting access to authorized users only. This can mean anything from positioning screens away from public view to locking rooms where servers are housed.
Device and media controls govern what happens to hardware and electronic media containing ePHI as they move into, out of, and within a facility. Two specifications are mandatory: you must have policies for securely disposing of ePHI and its storage media, and you must have procedures for wiping ePHI from electronic media before reusing them. Two additional specifications, tracking the movement of hardware and creating exact backup copies before moving equipment, are “addressable,” meaning organizations must implement them where reasonable and appropriate.
Technical Safeguards
Technical safeguards are the technology-based protections built into the systems that store and transmit ePHI. The access control standard requires that only authorized persons or software programs can reach ePHI. Within access control, two specifications are required: every user must have a unique identifier for tracking purposes, and organizations must have emergency access procedures so ePHI remains available during a crisis. Automatic logoff after inactivity and encryption of ePHI are addressable specifications.
Audit controls require organizations to implement mechanisms that record and examine activity in systems containing ePHI. The integrity standard requires protections against improper alteration or destruction of ePHI. And person or entity authentication requires procedures to verify that anyone seeking access to ePHI is who they claim to be.
Required vs. Addressable Specifications
One of the most misunderstood aspects of the Security Rule is the difference between “required” and “addressable” implementation specifications. Required specifications must be implemented, full stop. Addressable specifications demand a more nuanced process, but “addressable” does not mean “optional.” If a specification is addressable, you must assess whether it’s a reasonable and appropriate safeguard for your organization. If it is, you implement it. If it isn’t, you must document why and implement an equivalent alternative measure that achieves the same protective goal.
Encryption is a good example. It’s classified as addressable, which means an organization could theoretically choose an alternative if encryption isn’t reasonable for a specific use case. In practice, encryption is so widely available and effective that most organizations would have difficulty justifying not using it.
Who Must Comply
The Security Rule applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. It also extends to business associates, which are companies or individuals that perform functions involving ePHI on behalf of a covered entity. Cloud storage providers, billing companies, IT contractors, and similar vendors all fall under this umbrella. Covered entities must obtain contractual assurances that their business associates will use appropriate safeguards to protect ePHI.
Penalties for Noncompliance
The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces the Security Rule, and penalties are structured in four tiers based on the level of culpability. As of August 2024, the penalty ranges are:
- Tier 1, lack of knowledge: $141 to $71,162 per violation, capped at $2,134,831 per year for identical violations.
- Tier 2, reasonable cause without willful neglect: $1,424 to $71,162 per violation, same annual cap.
- Tier 3, willful neglect corrected within 30 days: $14,232 to $71,162 per violation, same annual cap.
- Tier 4, willful neglect not corrected within 30 days: $71,162 to $2,134,831 per violation, with the annual cap matching the maximum single penalty.
The jump between tiers is significant. An organization that didn’t know about a vulnerability faces a minimum penalty of $141, while one that knew about a problem and failed to fix it within 30 days faces a minimum of $71,162 per violation.
NIST Guidance for Implementation
While the HIPAA Security Rule sets the legal requirements, NIST Special Publication 800-66 (Revision 2) provides practical guidance for actually meeting them. This resource guide maps each Security Rule standard and implementation specification to NIST Cybersecurity Framework subcategories and specific security controls. It’s designed for regulated entities of all sizes and is particularly useful for smaller organizations that may not have dedicated compliance teams. The publication is freely available through the NIST Computer Security Resource Center.