What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards for protecting electronically protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

What are the three HIPAA Security Rule safeguards?

The three HIPAA Security Rule safeguards are administrative safeguards, physical safeguards, and technical safeguards. These categories define the policies, physical protections, and electronic controls required to protect ePHI.

Is a HIPAA risk assessment required?

Yes. The HIPAA Security Rule requires covered entities and business associates to conduct a formal risk assessment to identify vulnerabilities to ePHI, evaluate potential threats, and implement risk management measures.

What is the HIPAA Security Risk Assessment Tool?

The HIPAA Security Risk Assessment Tool is a free resource developed by ONC and the HHS Office for Civil Rights to help small and medium healthcare providers evaluate compliance with the HIPAA Security Rule safeguards.

What is the difference between required and addressable safeguards?

Required safeguards must be implemented exactly as written. Addressable safeguards must also be implemented unless an organization can document why an alternative measure is reasonable and appropriate.

HIPAA Security Rule Requirements Explained (2026 Guide)

The HIPAA Security Rule establishes national standards for protecting electronically protected health information (ePHI). It applies to covered entities and business associates that create, receive, maintain, or transmit ePHI.

The purpose of the rule is to ensure:

Confidentiality of ePHI
Integrity of ePHI
Availability of ePHI

To meet these goals, organizations must implement three categories of safeguards:

HIPAA Administrative Safeguards
HIPAA Physical Safeguards
HIPAA Technical Safeguards

Understanding these HIPAA Security Rule safeguards is essential for maintaining compliance and protecting patient data.

What Are the HIPAA Security Rule Safeguards?

The HIPAA Security Rule safeguards are divided into three main categories. Each category contains required and addressable implementation specifications.

Let’s break them down.

HIPAA Administrative Safeguards

HIPAA administrative safeguards focus on policies, procedures, and workforce oversight to protect ePHI.

They form the foundation of your HIPAA compliance program.

1. Security Management Process

Organizations must:

Conduct a HIPAA risk assessment
Identify vulnerabilities
Implement risk management strategies
Apply appropriate sanctions for violations

A formal HIPAA Security Risk Assessment is mandatory and must be reviewed regularly.

2. Assigned Security Responsibility

A designated Security Officer must oversee:

Policy development
Implementation of safeguards
Ongoing compliance monitoring

Depending on organizational size, this role may be separate from the Privacy Officer.

3. Workforce Security

Access to ePHI must be role-based.

This includes:

Authorization and supervision
Clearance procedures
Termination procedures
Immediate access revocation upon employee exit

4. Information Access Management

Access must follow the “minimum necessary” principle.

Only authorized personnel with a legitimate business need may access ePHI.

5. Security Awareness and Training

Organizations must provide regular training on:

Password management
Phishing and malicious software detection
Social engineering risks

Training is a critical component of ePHI protection requirements.

6. Security Incident Procedures

Organizations must establish:

Incident identification processes
Reporting protocols
Response and mitigation plans
Documentation procedures

7. Contingency Plan

Covered entities must implement:

Data backup plans
Disaster recovery plans
Emergency mode operations procedures
Testing and revision processes

8. Evaluation

Organizations must regularly evaluate:

Technical safeguards
Operational changes
Environmental risks
Policy effectiveness

9. Business Associate Agreements

Contracts must ensure business associates comply with HIPAA Security Rule requirements when handling ePHI.

HIPAA Physical Safeguards

HIPAA physical safeguards focus on protecting physical systems, facilities, and equipment that store or access ePHI.

Facility Access Controls

Organizations must implement:

Contingency operations
Facility security plans
Access control and validation procedures
Maintenance records

These controls prevent unauthorized physical access and tampering.

Device and Media Controls

Policies must address:

Secure disposal of ePHI
Media re-use sanitization
Device accountability tracking
Data backup and secure storage

Proper hardware management is a core HIPAA compliance requirement.

Workstation Security

Organizations must define:

Proper workstation usage
Physical access restrictions
Secure workstation configuration

HIPAA Technical Safeguards

HIPAA technical safeguards apply to electronic systems that store or transmit ePHI.

They define how access, transmission, and system integrity are protected.

Access Control

Requirements include:

Unique user identification
Emergency access procedures
Automatic logoff (addressable)
Authentication mechanisms
Encryption and decryption (addressable)

Audit Controls

Systems must:

Record user activity
Log system access
Monitor security events

Audit controls are essential for demonstrating HIPAA compliance.

Integrity Controls

Organizations must implement mechanisms to ensure ePHI is not altered or destroyed improperly.

Transmission Security

Encryption and secure transmission protocols must protect ePHI during electronic communication.

HIPAA Risk Assessment Requirements

A HIPAA risk assessment is not optional.

Under the HIPAA Security Rule, organizations must:

Identify where ePHI is stored
Assess potential threats and vulnerabilities
Evaluate likelihood and impact
Document findings
Implement corrective actions

Failure to conduct an adequate risk assessment is one of the most common causes of OCR enforcement actions.

HIPAA Security Risk Assessment Tool (HHS SRA Tool)

The HIPAA Security Risk Assessment Tool was developed by:

The Office of the National Coordinator for Health Information Technology (ONC)
The HHS Office for Civil Rights (OCR)

It helps small and mid-sized providers evaluate compliance with HIPAA Security Rule safeguards.

Key features include:

Modular workflow
Threat and vulnerability ratings
Business associate tracking
Detailed reporting
Improved documentation features

The tool stores data locally and does not transmit information to HHS.

While helpful, larger organizations often require a more comprehensive risk analysis program.

NIST HIPAA Toolkit

The NIST HIPAA toolkit provides structured guidance for implementing HIPAA Security Rule safeguards.

It helps organizations:

Map safeguards to NIST security controls
Conduct structured assessments
Strengthen ePHI protection requirements
Align compliance with broader cybersecurity frameworks

Using NIST guidance strengthens audit defensibility.

Achieving HIPAA Compliance With Expert Support

Complying with HIPAA Security Rule requirements requires a structured, risk-based approach.

RSI Security helps healthcare organizations implement:

HIPAA Security Rule safeguards
Risk analysis programs
Vulnerability assessments
Security awareness training
Incident response planning
Penetration testing
Ongoing compliance monitoring

Integrating HIPAA compliance into business-as-usual operations ensures continuous protection of patient data and reduces regulatory risk. Contact RSI Security for HIPPA Security Rule Requirement

HIPAA Security Rule Requirements – What You Need to Know