HIPAA Information Security and Risk Assessment Requirements Explained for Covered Entities

As a covered entity, you are responsible for protecting electronic protected health information (ePHI) by building a security program that is risk-based, documented, and continuously improved. This guide explains how HIPAA ties information security to risk analysis, what safeguards you must implement, and how to document compliance so your organization can demonstrate due diligence at any time.

HIPAA Security Rule Overview

The HIPAA Security Rule establishes national standards to ensure the confidentiality integrity availability of ePHI. It requires you to assess risk, implement reasonable and appropriate safeguards, and maintain evidence of ongoing compliance. Requirements apply to all systems, processes, and people that create, receive, maintain, or transmit ePHI.

Who must comply and what’s in scope

Covered entities—health plans, healthcare providers, and healthcare clearinghouses—must secure ePHI across clinical, administrative, and business operations. Systems in scope include EHRs, patient portals, billing platforms, messaging tools, cloud services, and any endpoint that stores or accesses ePHI.

Required vs. addressable specifications

Some implementation specifications are required; others are addressable. Addressable does not mean optional—you must implement the control, implement an equivalent alternative, or formally document why an alternative is reasonable and appropriate based on risk and environment.

Core obligations at a glance

• Conduct an organization-wide risk analysis and keep it current through periodic risk review.
• Perform risk management to reduce risks to a reasonable and appropriate level through security measures implementation.
• Adopt policies and procedures, train your workforce, and manage vendors that handle ePHI.
• Document everything to meet the compliance documentation requirement.

Risk Analysis Requirements

Risk analysis is the foundation of HIPAA security. You must identify where ePHI exists, evaluate potential threats and vulnerabilities, estimate likelihood and impact, and determine risk levels to guide control selection and prioritization.

Threat and vulnerability identification

Map ePHI data flows and inventory assets (applications, databases, devices, cloud services, interfaces). Perform threat vulnerability identification across categories such as unauthorized access, misconfiguration, phishing, ransomware, third-party failures, insider misuse, and environmental hazards.

Assess likelihood and impact

Evaluate existing controls and estimate how likely each scenario is and how severely it would affect confidentiality, integrity, or availability. Use a consistent scoring model so risks can be compared and prioritized. Capture assumptions, data sources, and scoping decisions.

Scope, depth, and frequency

The analysis must be enterprise-wide and system-specific where needed. Refresh it whenever you experience material changes (e.g., new EHR, mergers, major cloud migrations) and as part of your periodic risk review cadence.

Documentation essentials

• Asset inventory and ePHI data flow diagrams.
• Risk register listing threats, vulnerabilities, likelihood, impact, and owners.
• Methodology, scoring criteria, and boundaries of the assessment.
• Findings that feed directly into risk management actions.

Risk Management Implementation

Risk management translates analysis into action. Your goal is to select and implement controls that reduce risk to an acceptable level, considering your size, complexity, capabilities, and the sensitivity of ePHI.

From findings to funded actions

• Create a prioritized remediation plan (often called a Plan of Action and Milestones) with owners, budgets, and due dates.
• Address high and very high risks first, applying layered controls to mitigate multiple threats.
• Track progress and verify effectiveness through testing and metrics.

Reasonable and appropriate decisions

When choosing controls or alternatives, weigh effectiveness, feasibility, and potential operational impact. If an addressable control is not implemented, record the rationale and the compensating measures that achieve equivalent protection.

Change and continuous improvement

Integrate risk management with change management so security requirements are evaluated before systems go live. Periodically revisit residual risk and adjust safeguards as operations, technology, or threats evolve.

Administrative Safeguards for ePHI

Administrative safeguards are the policies, processes, and people practices that govern security. They ensure your program is intentional, repeatable, and auditable.

Security management process

• Maintain your risk analysis and risk management plan.
• Define and enforce a sanctions policy for violations.
• Monitor key indicators (e.g., phishing rates, patch timelines, audit findings).

Workforce security and training

• Screen, authorize, and terminate access in a timely manner.
• Provide role-based training, including phishing awareness and secure handling of ePHI.

Information access management

• Apply minimum necessary and role-based access to systems holding ePHI.
• Use documented approvals and periodic access reviews.

Security incident response and reporting

• Define detection, escalation, containment, investigation, and post-incident review steps.
• Coordinate with privacy officers for breach evaluation and notifications when applicable.

Contingency planning

• Implement data backup, disaster recovery, and emergency mode operations plans.
• Test plans with tabletop exercises and restore drills; document results and improvements.

Vendor and business associate oversight

• Execute Business Associate Agreements with partners that handle ePHI.
• Perform due diligence and ongoing monitoring of third-party security posture.

Evaluation and governance

• Conduct periodic technical and nontechnical evaluations of your security program.
• Report status to leadership and maintain records for audit readiness.

Physical Safeguards and Environmental Protection

Physical safeguards protect facilities, equipment, and media that store or process ePHI. Environmental controls keep systems resilient against physical and natural hazards.

Facility access controls

• Restrict and log physical access to data rooms and clinical areas.
• Use badges, locks, cameras, visitor controls, and escort procedures.

Workstation and endpoint security

• Define workstation use, screen locking, and secure configurations for laptops and kiosks.
• Harden remote work setups, including encrypted devices and secure Wi‑Fi.

Device and media controls

• Track asset custody, enable encryption, and sanitize or destroy media before disposal.
• Document chain-of-custody for repairs, returns, and transfers.

Environmental protection

• Provide HVAC, fire detection/suppression, uninterruptible power, and generators where needed.
• Plan for flooding, severe weather, and other local risks with site-specific safeguards.

Technical Safeguards and Access Controls

Technical safeguards are the system controls that enforce who can access ePHI and how it is protected in storage, use, and transit.

Access control

• Assign unique user IDs, enable multi-factor authentication, and enforce strong passwords.
• Configure automatic logoff and emergency access procedures.

Audit controls

• Capture detailed logs for authentication, data access, and administrative actions.
• Centralize logs, monitor for anomalies, and retain evidence for investigations.

Integrity protections

• Use hashing, write-once storage, and change monitoring to prevent and detect tampering.
• Deploy anti-malware, EDR, and secure configuration baselines.

Transmission security

• Encrypt data in transit with current TLS, secure email gateways, or VPNs.
• Validate certificates and disable insecure protocols and ciphers.

Encryption and key management

• Encrypt ePHI at rest and in backups; protect and rotate keys with restricted access.
• Document exceptions and compensating controls when encryption is not feasible.

Minimum necessary and segmentation

• Apply role-based permissions and network segmentation to limit access paths.
• Review access entitlements regularly and remove stale privileges.

Risk Assessment Process and Documentation

Your risk assessment process should be structured, repeatable, and well-documented so you can demonstrate how decisions were made and validated over time.

Step-by-step process

1. Define scope and methodology; align to your business model and systems.
2. Inventory assets and map ePHI data flows, including third parties and integrations.
3. Perform threat vulnerability identification and evaluate existing controls.
4. Estimate likelihood and impact; score risks and assign owners.
5. Select treatments (mitigate, transfer, accept) and create a funded remediation plan.
6. Implement security measures implementation and verify effectiveness.
7. Report results, track residual risk, and schedule periodic risk review.

Documentation package

• Risk register linked to evidence (policies, diagrams, test results).
• Policies and procedures with version control and approval records.
• Training logs, access reviews, incident reports, and contingency test reports.
• Decisions for required vs. addressable controls and any compensating measures.
• Compliance documentation requirement artifacts ready for audits or inquiries.

Using the HealthIT.gov Security Risk Assessment Tool

The HealthIT.gov Security Risk Assessment Tool can help smaller practices structure their analysis with guided questions and reports. Treat it as a starting point, then augment it with your asset inventory, technical testing, third-party reviews, and organization-specific risks.

Program cadence and oversight

Adopt an annual cycle at minimum, with interim updates when significant changes occur. Provide regular status to leadership, and keep evidence organized so you can quickly show what you assessed, what you implemented, and how risks have been reduced.

Conclusion

HIPAA information security hinges on understanding where ePHI lives, analyzing risks, and implementing safeguards that keep data confidential, integral, and available. By executing a rigorous assessment, prioritizing remediation, and maintaining clear documentation, you create a defensible, auditable security program that scales with your organization.

FAQs.

What are the key HIPAA security requirements for covered entities?

You must conduct a thorough risk analysis, implement administrative, physical, and technical safeguards to reduce identified risks, manage vendors handling ePHI, train your workforce, and maintain policies, procedures, and evidence that demonstrate ongoing compliance.

How often must risk assessments be conducted under HIPAA?

HIPAA requires ongoing risk management supported by periodic risk review. At a minimum, reassess annually and whenever significant changes occur—such as new systems, major integrations, relocations, or notable threat shifts.

What types of safeguards are required to protect ePHI?

Safeguards span administrative (policies, training, incident response, contingency planning), physical (facility controls, workstation and device protection, environmental measures), and technical (access control, audit logging, integrity protections, encryption, transmission security) to protect ePHI across confidentiality, integrity, and availability.

How should covered entities document their risk management processes?

Maintain a risk register, policies and procedures, asset inventories, data flow diagrams, training and access review records, incident and testing reports, and decisions for required vs. addressable controls. Include remediation plans and progress evidence to satisfy the compliance documentation requirement.