Does the HIPAA Security Rule Apply to All Covered Entities? Who’s Covered and What’s Required

HIPAA Security Rule Applicability

The HIPAA Security Rule applies whenever you create, receive, maintain, or transmit electronic protected health information (ePHI). It governs how ePHI is safeguarded across systems, networks, mobile devices, and cloud services—whether data is at rest, in use, or in transit.

The Rule is risk-based and technology-neutral. You must perform security risk assessments, select reasonable and appropriate controls, document decisions, and review them regularly as your environment, threats, and operations change. Paper records and de-identified data are outside its scope, but any system touching ePHI—EHRs, e-prescribing, billing, analytics platforms, backups—falls squarely under it.

The Security Rule does not prescribe specific brands or tools. Instead, it expects consistent protection proportional to your risks, workforce size, complexity, and technical capabilities. Remote work, telehealth, and cloud hosting are fully compatible with HIPAA when security risks are identified and managed.

Covered Entities Defined

Covered entities include: (1) health care providers that conduct standard electronic transactions (such as electronic claims), (2) health plans (including employer-sponsored plans, HMOs, and government programs), and (3) health care clearinghouses that translate or process nonstandard data for standard transactions.

If you are a hybrid entity—an organization with both health and non‑health operations—you may designate health care components. The Security Rule then applies to those components and any shared services handling ePHI. Providers that never conduct standard electronic transactions may fall outside HIPAA, but most modern practices and facilities are covered due to routine e-billing and eligibility checks.

Role of Business Associates

Business associates are vendors or partners that perform services for a covered entity and handle ePHI—think cloud hosting, EHR vendors, billing services, telehealth platforms, e-fax, data destruction, and analytics firms. Subcontractors to business associates that handle ePHI are also business associates.

Business associates must implement their own HIPAA Security Rule program and sign business associate agreements (BAAs) that define permitted uses, disclosures, safeguards, breach reporting, and termination rights. Effective vendor oversight requires verifying controls during onboarding and periodically thereafter, aligning contract terms to your risk profile, and ensuring downstream subcontractors meet equivalent obligations.

Security Rule Requirements

The Security Rule requires you to establish administrative, physical, and technical safeguards supported by policies, procedures, and documentation. You must conduct an enterprise-wide risk analysis, implement risk management plans, train your workforce, manage third-party risk, prepare for incidents, and periodically evaluate your program.

Documentation is essential. Keep written policies, procedures, risk assessments, decisions on addressable items, training logs, incident records, and BAA inventories. Maintain these for the required retention period and update them whenever your environment or risk posture changes.

Required Safeguards

Administrative safeguards

• Security risk assessments and ongoing risk management to prioritize threats to ePHI.
• Assigned security responsibility, workforce security, and information access management.
• Security awareness and training, including phishing defense and multi-factor authentication practices.
• Incident response and reporting procedures with clear roles and escalation paths.
• Contingency planning: data backup plan, disaster recovery plan, and emergency mode operations.
• Vendor oversight: due diligence, BAAs, monitoring, and remediation of third-party risks.
• Periodic evaluations to validate control effectiveness and address gaps.

Physical safeguards

• Facility access controls with appropriate visitor management and environmental protections.
• Workstation use and security standards that separate clinical, administrative, and public spaces.
• Device and media controls: asset tracking, secure disposal, re-use sanitization, and offsite transport protections.

Technical safeguards

• Access controls: unique user IDs, emergency access procedures, automatic logoff, and encryption of ePHI where reasonable and appropriate.
• Audit controls: system activity logging, centralized log retention, and regular review.
• Integrity protections to prevent improper alteration or destruction of ePHI.
• Person or entity authentication; multi-factor authentication is strongly recommended for remote access, privileged accounts, and portals.
• Transmission security: encryption for data in transit (for example, TLS/VPN) and protections against man-in-the-middle attacks.

Implementation Specifications

Each safeguard includes implementation specifications that are either “required” or “addressable.” Required specifications must be implemented as written. Addressable does not mean optional; you must implement the specification as stated, implement an effective alternative, or document why neither is reasonable and appropriate in your environment, with the risks and compensating controls clearly explained.

Examples: If full-disk encryption for certain devices is not feasible, you might document an alternative such as container-based encryption, strict device management, and technical restrictions on local ePHI storage—provided the residual risk is acceptable. For authentication, you may select multi-factor authentication methods that fit your systems (e.g., FIDO2 security keys or authenticator apps) and document the rationale and coverage.

Decisions on addressable items must be revisited when risks, technologies, or operations change. What was once impractical may later become reasonable and appropriate as costs drop and capabilities improve.

Enforcement and Compliance Deadlines

OCR enforces the Security Rule through investigations, audits, and breach reviews. Outcomes can include corrective action plans and tiered civil money penalties, with factors such as violation nature, duration, culpability, and past compliance history considered. State attorneys general may also bring actions under HIPAA, and contracts can add additional remedies.

Key historical dates: Covered entities were required to comply with the Security Rule by April 21, 2005; small health plans had until April 21, 2006. Business associates became directly subject to the Security Rule’s requirements following the HIPAA Omnibus Rule, with a general compliance date of September 23, 2013.

Proposed cybersecurity enhancements periodically emerge through federal rulemaking and guidance. As of November 7, 2025, proposed enhancements are not enforceable until finalized; you must continue meeting current HIPAA Security Rule requirements while monitoring HHS announcements. Expect phased timelines once any final rules publish, with lead time to implement new controls.

Key takeaways

• The Security Rule applies whenever your organization handles ePHI, including through vendors and cloud services.
• Compliance hinges on sound risk analysis, layered safeguards, documentation, and continuous improvement.
• Multi-factor authentication, encryption, logging, and vendor oversight are cornerstone controls in modern programs.

FAQs

Which entities are considered covered entities under the HIPAA Security Rule?

Covered entities are health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses. Hybrid entities must apply the Rule to their designated health care components and any shared services that handle electronic protected health information.

Does the Security Rule apply to business associates?

Yes. Business associates and their subcontractors that create, receive, maintain, or transmit ePHI on behalf of a covered entity must comply with the Security Rule, sign business associate agreements, and implement safeguards proportionate to their risks.

What are the mandatory safeguards under the HIPAA Security Rule?

You must implement administrative, physical, and technical safeguards. Core elements include security risk assessments and risk management, workforce training, access controls, audit logging, integrity protections, transmission security, contingency plans, and vendor oversight. Some specifications are required, while addressable ones must be implemented, replaced with an effective alternative, or justified with documented risk decisions.

When must covered entities comply with proposed cybersecurity enhancements?

Proposed enhancements are not binding until a final rule is issued. As of November 7, 2025, there is no federal HIPAA compliance date for proposals; monitor HHS and OCR announcements. Once finalized, expect defined effective dates and reasonable transition periods to implement new requirements.