All Required HIPAA Security Safeguards (2025): Complete List of Administrative, Physical, and Technical Controls

This 2025 guide compiles all required HIPAA Security Safeguards so you can achieve Security Rule compliance and protect electronic protected health information (ePHI) across people, process, and technology. It translates ePHI protection standards into actionable controls you can implement, verify, and continuously improve.

Use this list to validate your program, close gaps before audits, and strengthen day-to-day operations. Each section highlights access control mechanisms, audit controls requirements, data integrity measures, transmission security protocols, and workforce training documentation expectations.

Administrative Safeguards Implementation

Administrative safeguards establish the governance, risk, and oversight practices that direct your security program. HIPAA specifies “Required” and “Addressable” implementation specifications. Addressable does not mean optional; you must implement them if reasonable and appropriate or document an equivalent alternative with rationale.

Complete Administrative Safeguards

Security Management Process (Required)

• Risk Analysis (Required): Identify where ePHI resides, assess threats and vulnerabilities, and determine the likelihood and impact of harm.
• Risk Management (Required): Prioritize risks, implement controls, assign owners, and track remediation to completion.
• Sanction Policy (Required): Define progressive disciplinary actions for violations and apply them consistently.
• Information System Activity Review (Required): Review audit logs, access reports, and security event summaries routinely.

Assigned Security Responsibility (Required)

• Designate a security official accountable for the development, implementation, and enforcement of security policies and procedures.

Workforce Security (Addressable)

• Authorization and/or Supervision (Addressable): Ensure only authorized workforce members access ePHI and supervise access appropriately.
• Workforce Clearance Procedure (Addressable): Verify role-appropriate clearance before granting access.
• Termination Procedures (Addressable): Promptly remove access, recover devices/keys, and document completion at separation.

Information Access Management (Required standard)

• Isolating Health Care Clearinghouse Function (Required when applicable): Segregate clearinghouse operations and data.
• Access Authorization (Addressable): Grant role-based access consistent with minimum necessary policies.
• Access Establishment and Modification (Addressable): Standardize approvals, provisioning, and periodic re-certifications.

Security Awareness and Training (Required standard)

• Security Reminders (Addressable): Provide ongoing updates and targeted messages.
• Protection from Malicious Software (Addressable): Train on phishing, malware hygiene, and safe software use.
• Log-in Monitoring (Addressable): Educate on detecting and reporting suspicious log-in activity.
• Password Management (Addressable): Train on strong secrets, MFA usage, and secure storage. Maintain workforce training documentation to prove completion and effectiveness.

Security Incident Procedures (Required)

• Response and Reporting (Required): Define how to identify, analyze, escalate, contain, eradicate, and recover from incidents involving ePHI.

Contingency Plan (Required)

• Data Backup Plan (Required): Create reliable backups of systems holding ePHI and verify restorability.
• Disaster Recovery Plan (Required): Restore systems and data after disruption per defined RTOs and RPOs.
• Emergency Mode Operation Plan (Required): Maintain critical ePHI operations during outages.
• Testing and Revision Procedures (Addressable): Test plans routinely and update after changes or lessons learned.
• Applications and Data Criticality Analysis (Addressable): Rank systems and data to drive recovery priorities.

Evaluation (Required)

• Periodically evaluate technical and nontechnical safeguards to confirm controls remain effective as risks and systems change.

Business Associate Contracts and Other Arrangements (Required)

• Execute and manage agreements that set ePHI protection standards, breach reporting duties, and permitted uses and disclosures.

Policies, Procedures, and Documentation

Maintain written policies and procedures for all safeguards, plus evidence such as risk registers, access reviews, incident tickets, test results, and training records. Keep documentation current, retrievable, and aligned to your security program and operations.

Physical Safeguards Enforcement

Physical safeguards protect facilities, workspaces, and devices that store or process ePHI. They control real-world access, reduce tampering risk, and ensure secure equipment lifecycle management.

Complete Physical Safeguards

Facility Access Controls (Required standard)

• Contingency Operations (Addressable): Permit on-site support during emergencies under controlled conditions.
• Facility Security Plan (Addressable): Document physical protections, visitor controls, and monitoring.
• Access Control and Validation Procedures (Addressable): Verify identity/role before allowing entry to sensitive areas.
• Maintenance Records (Addressable): Track repairs and modifications affecting security.

Workstation Use (Required)

• Define acceptable use, screen placement, and session handling to prevent unauthorized viewing of ePHI.

Workstation Security (Required)

• Apply physical safeguards—cable locks, secured rooms, privacy filters—to reduce device theft and shoulder-surfing.

Device and Media Controls (Required)

• Disposal (Required): Sanitize or destroy media before disposal.
• Media Re-use (Required): Remove ePHI before reassigning devices.
• Accountability (Addressable): Track asset custody and transfers.
• Data Backup and Storage (Addressable): Create a retrievable copy of ePHI before moving equipment.

Technical Safeguards Deployment

Technical safeguards translate policies into system controls. Focus on robust access control mechanisms, comprehensive logging for audit controls requirements, strong data integrity measures, and proven transmission security protocols.

Complete Technical Safeguards

Access Control (Required standard)

• Unique User Identification (Required): Assign unique IDs and prevent account sharing.
• Emergency Access Procedure (Required): Provide break-glass access with monitoring and post-event review.
• Automatic Logoff (Addressable): Enforce timeouts for interactive sessions.
• Encryption and Decryption (Addressable): Encrypt ePHI at rest where reasonable and manage keys securely.

Audit Controls (Required)

• Generate and retain logs for access, admin actions, security events, and data changes. Implement centralized logging, alerting, and regular review.

Integrity (Required standard)

• Mechanism to Authenticate ePHI (Addressable): Use hashing, digital signatures, or write-once storage to detect improper alteration or destruction.

Person or Entity Authentication (Required)

• Verify identities before granting access using passwords, tokens, biometrics, or multi-factor methods.

Transmission Security (Required standard)

• Integrity Controls (Addressable): Use checksums or message authentication codes to detect tampering in transit.
• Encryption (Addressable): Protect ePHI in transit with modern TLS, VPNs, or secure messaging protocols.

Practical Deployment Tips

• Adopt least privilege with role-based access, just-in-time elevation, and periodic access re-certification.
• Standardize secure configurations, patching, EDR, and vulnerability management across all ePHI systems.
• Correlate audit logs with SIEM rules and investigate anomalies promptly; link results to information system activity reviews.

Risk Analysis and Management

Risk analysis and management drive all other safeguards and are explicitly Required. Treat this as a living program, not a one-time project.

Structured Risk Method

• Scope: Inventory assets that create, receive, maintain, or transmit ePHI; include vendors and cloud services.
• Map Data Flows: Document where ePHI moves and is stored to expose choke points and dependencies.
• Identify Threats and Vulnerabilities: Consider technical, physical, administrative, and human factors.
• Assess Likelihood and Impact: Rate risks consistently; record assumptions and evidence.
• Treat Risks: Accept, mitigate, transfer, or avoid; define owners, milestones, and acceptance criteria.
• Monitor: Track residual risk, validate controls, and update when systems, threats, or regulations change.

Evidence and Outputs

Maintain a risk register, treatment plans, control mappings, and executive summaries. Tie each high-risk item to concrete control actions and due dates to demonstrate Security Rule compliance and measurable risk reduction.

Workforce Security Management

Your workforce is the front line of ePHI protection standards. Combine preventive controls with monitoring, accountability, and clear documentation.

Core Practices

• Onboarding: Verify role, clearance, and training completion before provisioning access.
• Access Lifecycle: Use ticketed approvals, periodic access reviews, and immediate changes on role shifts.
• Training and Awareness: Deliver role-specific content, phishing simulations, and policy attestations; retain workforce training documentation.
• Sanctions and Coaching: Apply your sanction policy fairly and record outcomes to reinforce expectations.

Contingency Planning Procedures

Contingency planning ensures availability and integrity of ePHI during adverse events. Align plans with business priorities, RTOs, and RPOs.

Plan Components

• Backups: Use immutable and offsite copies; test restoration regularly.
• Disaster Recovery: Define step-by-step recovery for critical applications and infrastructure.
• Emergency Mode Operations: Keep essential clinical and billing processes running under degraded conditions.
• Testing and Improvement: Exercise scenarios, capture lessons, and update procedures and contacts.
• Criticality Analysis: Rank systems and datasets to drive sequencing and resource allocation.

Security Incident Response

Effective incident response turns potential crises into controlled events. It is inseparable from audit controls requirements and security incident procedures.

Lifecycle

• Prepare: Define roles, runbooks, communication plans, and evidence handling procedures.
• Identify: Detect anomalies via alerts, user reports, and threat intelligence; verify scope and affected ePHI.
• Contain: Isolate systems, revoke compromised credentials, and preserve forensic evidence.
• Eradicate and Recover: Remove root cause, rebuild systems, validate integrity, and monitor for reoccurrence.
• Post-Incident: Conduct lessons-learned, update controls, retrain as needed, and meet any applicable notification obligations in a timely manner.

Conclusion

By implementing the full set of administrative, physical, and technical safeguards—backed by rigorous risk management, trained workforce practices, tested contingency plans, and swift incident response—you operationalize HIPAA Security Rule compliance and protect ePHI with depth and resilience.

FAQs.

What are the three types of HIPAA safeguards?

HIPAA defines three safeguard categories: Administrative (governance, risk, policies, and workforce controls), Physical (facility, workstation, and device/media protections), and Technical (access control, audit controls, integrity, authentication, and transmission security). Together, they create layered defenses around ePHI.

How often should risk analysis be conducted for HIPAA compliance?

Perform an initial risk analysis, then update it regularly based on changes in systems, threats, or operations. Many organizations reassess at least annually and after significant events such as new systems, mergers, major incidents, or regulatory updates.

What technical controls are required to protect ePHI?

Required controls include unique user IDs, emergency access procedures, audit controls, person or entity authentication, and integrity protections. Addressable—but commonly expected—controls include automatic logoff and encryption for ePHI at rest and in transit using strong transmission security protocols.

How do physical safeguards reduce unauthorized access risks?

Physical safeguards prevent, detect, and deter real-world threats by controlling facility entry, defining acceptable workstation use, securing workstations, and managing device/media lifecycles. They limit who can get near ePHI systems, ensure screens and hardware are protected, and enforce secure disposal and re-use of storage media.