HIPAA Security Rule: What It Requires Covered Entities to Do to Protect ePHI

The HIPAA Security Rule sets national standards for safeguarding Electronic Protected Health Information (ePHI). It tells covered entities what to put in place across administrative, physical, and technical domains so that ePHI remains confidential, accurate, and available when needed.

This guide explains the core requirements, how to implement practical controls, how to run a Risk Assessment and manage findings, and what documentation you must maintain to demonstrate compliance.

General Requirements for ePHI Protection

The HIPAA Security Rule requires you to ensure the confidentiality, integrity, and availability of ePHI. You must protect ePHI against reasonably anticipated threats and impermissible uses or disclosures, and ensure your workforce follows your security program.

The Rule is technology-neutral and flexible. You must implement “reasonable and appropriate” safeguards based on your size, complexity, technical infrastructure, and the probability and impact of risks to ePHI. Some specifications are required; others are addressable—meaning you must assess them and implement, implement an equivalent alternative, or document why they are not reasonable and appropriate for your environment.

• Confidentiality: prevent unauthorized access or disclosure.
• Integrity: prevent improper alteration or destruction of ePHI.
• Availability: ensure ePHI can be accessed by authorized users when needed.

Implementing Administrative Safeguards

Security management process

Establish a repeatable program that includes ongoing Risk Assessment, risk management, a sanction policy for violations, and routine review of system activity (for example, Audit Controls that monitor access, changes, and anomalous behavior). Prioritize actions based on likelihood and impact to ePHI.

Assigned security responsibility

Designate a qualified security official to develop, implement, and enforce your security program. Give this role the authority and resources to coordinate remediation, evaluate Technical Security Policies, and report program status to leadership.

Workforce security and information access management

Define and enforce role-based access using the minimum necessary principle. Onboard, authorize, and supervise users; promptly modify or terminate access on job changes. Document approval workflows and periodic access reviews to keep privileges aligned with job duties.

Security awareness and training

Train your workforce on policies, secure use of systems, phishing and social engineering, and incident reporting. Reinforce learning with periodic updates, simulated exercises, and targeted refreshers after significant changes or incidents.

Security incident procedures

Document how to identify, escalate, investigate, contain, and remediate security incidents. Keep an incident log, perform root-cause analysis, and track corrective actions to completion.

Contingency planning

Maintain a data backup plan, disaster recovery plan, and emergency mode operation plan. Test and revise plans regularly so critical operations can continue and ePHI remains available during outages.

Evaluation

Conduct periodic technical and non-technical evaluations of your safeguards. Reassess after environmental or operational changes—such as system upgrades, mergers, or new integrations—to ensure controls remain effective.

Business associate management

Identify all vendors that create, receive, maintain, or transmit ePHI. Execute and manage agreements that define required safeguards and obligations, and monitor their performance and security posture.

Technical Security Policies and procedures

Publish clear, enforceable policies for authentication, passwords, multi-factor authentication, device and remote access standards, encryption requirements, change management, and acceptable use. Align procedures to make policies actionable.

Establishing Physical Safeguards

Facility access controls

Implement Physical Access Controls to protect locations where systems and media containing ePHI reside. Use badging, visitor management, surveillance, and access-approval processes. Maintain facility security plans, access validation records, and maintenance logs.

Workstation use and security

Define acceptable workstation locations and configurations. Enforce automatic logoff, privacy screens where appropriate, and secure placement to reduce shoulder surfing and unauthorized viewing.

Device and media controls

Track the lifecycle of hardware and media that store ePHI. Require secure disposal and media reuse procedures (for example, wiping, degaussing, or physical destruction), maintain accountability logs, and back up data before moving or reassigning devices.

Applying Technical Safeguards

Access controls

Require unique user IDs, enforce strong authentication, and implement automatic logoff. Maintain emergency access procedures so authorized staff can reach ePHI during crises while keeping traceability.

Audit Controls

Enable logging that records access, changes, administrative actions, and transmission events across applications, endpoints, databases, and network devices. Define log retention, review schedules, and escalation thresholds to detect and respond to suspicious activity.

Integrity protections

Use mechanisms such as checksums, hashing, and digital signatures to ensure ePHI is not improperly altered or destroyed. Combine file integrity monitoring with change management to maintain trustworthy records.

Person or entity authentication

Verify that users and systems are who they claim to be using passwords plus factors like tokens or biometrics, and mutual authentication for system-to-system connections.

Transmission Security Measures

Protect ePHI in motion with encryption and integrity controls. Use secure protocols for data exchange, safeguard email containing ePHI, and secure remote access with VPNs or equivalent protections. Apply network segmentation and deny-by-default rules to reduce exposure.

Technical Security Policies enforcement

Harden systems with secure configurations, patch promptly, restrict administrative privileges, and scan for vulnerabilities. Automate policy enforcement where possible to reduce human error and increase consistency.

Conducting Risk Analysis and Management

Performing a Risk Assessment

Inventory where ePHI lives and flows—systems, devices, applications, users, and vendors. Identify threats and vulnerabilities, evaluate likelihood and impact, and rate inherent risk. Document existing controls, determine residual risk, and record findings and justifications.

• Scope: include all systems that create, receive, maintain, or transmit ePHI.
• Method: use a consistent methodology with defined risk criteria and scoring.
• Output: produce a prioritized risk register with recommended remediation.

Risk management and remediation

Select safeguards that are reasonable and appropriate to reduce risk to acceptable levels. Create action plans with owners, budgets, timelines, and success metrics. Track progress, validate effectiveness, and update Risk Assessment results as controls change.

Ongoing monitoring and reassessment

Monitor controls continuously through alerts, log reviews, and key risk indicators. Reassess at least annually and after significant changes, ensuring new systems, integrations, and vendors undergo security review before going live.

Maintaining Documentation Compliance

Policies and procedures

Write, approve, and version-control all security policies and procedures. Make them accessible to personnel who implement them, and review them regularly to keep pace with operational and regulatory changes.

Retention and availability

Retain required documentation—policies, procedures, Risk Assessments, incident records, evaluations, and training materials—for at least six years from the date of creation or the date last in effect, whichever is later. Ensure authorized personnel can retrieve records promptly.

Training and attestation records

Document who was trained, when, on what content, and how competency was assessed. Keep acknowledgments or attestations to show understanding and acceptance of responsibilities.

Incident and breach documentation

Maintain incident reports, investigation notes, containment and recovery steps, and post-incident actions. Preserve evidence of breach risk analysis and any required notifications.

Audit-ready evidence

Keep system configurations, change records, access review results, vendor due diligence artifacts, and samples of Audit Controls and Transmission Security Measures. Organize evidence so you can demonstrate compliance efficiently during audits or investigations.

Conclusion

The HIPAA Security Rule requires a coordinated program of Administrative Safeguards, Physical Access Controls, and Technical Security Policies to protect ePHI. By performing a thorough Risk Assessment, managing risks to acceptable levels, and maintaining complete, timely documentation, you position your organization to prevent incidents and to demonstrate compliance with confidence.

FAQs.

What are the key components of the HIPAA Security Rule?

The Security Rule centers on safeguarding ePHI through administrative, physical, and technical safeguards. It requires a risk-based program that ensures confidentiality, integrity, and availability; protects against anticipated threats and impermissible uses or disclosures; enforces workforce compliance; and documents policies, procedures, evaluations, and actions taken.

How do covered entities conduct risk assessments?

Define scope across all systems handling ePHI, map data flows, and inventory assets and vendors. Identify threats and vulnerabilities, rate likelihood and impact, and calculate risk. Document current controls, determine residual risk, and produce a prioritized remediation plan with owners and timelines. Reassess at least annually and after significant changes.

What technical safeguards are required to protect ePHI?

Implement access controls (unique IDs, MFA, automatic logoff), Audit Controls for logging and review, integrity mechanisms to detect improper changes, authentication of users and systems, and Transmission Security Measures such as encryption and integrity protections for data in motion. Harden systems and enforce Technical Security Policies to keep controls effective.

How must covered entities document compliance with the Security Rule?

Maintain written policies and procedures, Risk Assessment reports, training records, incident and breach analyses, evaluations, vendor agreements, system configuration baselines, access reviews, and evidence of Audit Controls and transmission protections. Retain documentation for at least six years and ensure it is accessible to those who implement and oversee safeguards.