How to Comply: What the HIPAA Security Rule Requires of Covered Entities

Conduct Security Risk Assessments

The HIPAA Security Rule is risk-based and technology-neutral. Your compliance program begins with a formal risk analysis that identifies how electronic protected health information (ePHI) is created, received, maintained, and transmitted across your environment.

Scope your assessment

• Inventory every system, device, application, interface, and vendor that stores or touches ePHI, including cloud services, backups, and medical equipment.
• Map data flows to understand where ePHI travels, who can access it, and which network segments and physical locations are involved.

Analyze and prioritize risk

• Identify threats and vulnerabilities, then evaluate likelihood and impact to calculate risk levels for each asset and process that handles ePHI.
• Select safeguards that reduce risk to a “reasonable and appropriate” level, tying each decision to the Security Rule’s implementation specifications (required or addressable).
• Document rationale for every choice, including alternatives when an addressable specification is met through a different control.

Maintain and update

• Update your risk analysis whenever technologies, processes, or threats materially change, and perform ongoing risk management to track remediation through closure.
• Use results to drive budgets, timelines, and metrics for continuous improvement.

Implement Administrative Safeguards

Administrative safeguards translate your risk analysis into policies, oversight, and day‑to‑day practices that guide how people and processes protect ePHI.

Security management process

• Risk analysis and risk management that align controls with prioritized risks.
• Sanction policy to enforce consequences for noncompliance.
• Information system activity review, including routine log and audit review.

Governance and roles

• Assign a security official with authority to implement and monitor the program.
• Define cross‑functional oversight (privacy, IT, clinical, legal, compliance).

Workforce security and access management

• Authorize, supervise, and verify workforce access based on job duties and minimum necessary requirements.
• Implement onboarding, transfer, and termination procedures that promptly adjust or revoke access.

Security awareness and training

• Provide continuous, role‑specific training on phishing, secure handling of ePHI, multi-factor authentication, remote work, and reporting obligations.

Security incident procedures

• Define how staff identify, report, and escalate incidents and how leadership initiates security incident response activities.

Contingency planning

• Create and test a data backup plan, disaster recovery plan, emergency mode operation plan, and application/data criticality analysis.
• Record test results and improvements to strengthen resilience.

Business associate management

• Execute business associate agreements that require appropriate safeguards and reporting, and monitor vendors proportionate to risk.

Evaluation and documentation

• Periodically evaluate your program against the Security Rule and your environment.
• Maintain written policies, procedures, and decision records for at least six years.

Deploy Physical Safeguards

Physical safeguards protect the places and equipment where ePHI resides, preventing unauthorized physical access and loss.

Facility access controls

• Maintain a facility security plan, visitor procedures, and access validation for staff and contractors.
• Support contingency operations and keep maintenance records for doors, cameras, and locks.

Workstation use and security

• Define acceptable use, placement, and timeout standards for workstations that handle ePHI.
• Use privacy screens, cable locks, and secure areas to prevent shoulder surfing or theft.

Device and media controls

• Establish secure disposal and media re‑use procedures to prevent ePHI recovery.
• Track hardware with chain‑of‑custody, encrypt portable devices, and enable remote wipe where feasible.

Apply Technical Safeguards

Technical safeguards implement access, logging, integrity, authentication, and transmission protections. Address “required” and “addressable” implementation specifications through a documented, risk‑based approach.

Access control

• Assign unique user IDs, provide emergency access procedures, enforce automatic logoff, and apply encryption/decryption where appropriate.
• Use multi-factor authentication for privileged, remote, and high‑risk access to ePHI.

Audit controls

• Log access to ePHI, retain records per policy, and routinely review events using alerting and correlation tools.

Integrity

• Protect ePHI from improper alteration or destruction using checksums, digital signatures, and configuration/patch management.

Person or entity authentication

• Verify identities with strong credentials, identity proofing, and MFA, balancing usability and risk.

Transmission security

• Encrypt ePHI in transit (for example, TLS‑protected APIs, VPNs, secure messaging) and enforce secure protocols only.

Network segmentation and monitoring

• Use network segmentation to isolate ePHI systems and limit lateral movement, supplemented by firewalls, IDS/IPS, and endpoint detection.

Establish Incident Response Plans

A documented plan enables swift, repeatable security incident response to contain damage, recover operations, and meet reporting obligations.

Prepare

• Define severity levels, roles, and a call tree; pre‑stage playbooks for ransomware, lost/stolen devices, and email compromise.
• Harden backups and practice restoration to support recovery objectives.

Detect and analyze

• Centralize alerts, validate incidents, assess scope and affected ePHI, and preserve evidence and logs.

Contain, eradicate, recover

• Isolate affected systems, reset credentials, remove malicious code, rebuild where needed, and verify data and service integrity before returning to production.

Post‑incident improvement and notifications

• Perform root‑cause analysis, update your risk analysis and controls, retrain the workforce, and document all actions.
• Evaluate breach status and coordinate timely notifications consistent with the Breach Notification Rule and contractual obligations.

Perform Regular Compliance Audits

Audits verify that policies match practice and that controls satisfy the Security Rule’s implementation specifications.

What to audit

• Policy and procedure alignment, access reviews, log review practices, contingency planning artifacts, vendor management, and training records.

How to audit

• Combine document review, technical testing (e.g., configuration and vulnerability checks), interviews, and sampling of real workflows.

Document and retain

• Record scope, findings, corrective actions, due dates, and ownership, and retain audit evidence and decisions for at least six years.

Manage Workforce Access Controls

Strong workforce controls ensure only the right people access ePHI, only when needed, and only to the minimum necessary extent.

Joiner‑Mover‑Leaver (JML)

• Automate provisioning, apply time‑bound access for temporary roles, and disable accounts immediately upon role change or separation.

Least privilege and separation of duties

• Use role‑based access, periodic re‑certifications, and “break‑glass” emergency access with enhanced monitoring.

Strong authentication and authorization

• Require multi-factor authentication, use conditional access (e.g., step‑up for sensitive actions), and review privileged access frequently.

Endpoint and remote access

• Apply full‑disk encryption, MDM, patching, and remote wipe on mobile and remote endpoints; route remote sessions through secure channels.

Monitoring and accountability

• Continuously monitor ePHI access, investigate anomalies, enforce the sanction policy, and reinforce training tied to real incidents.

Summary

Effective HIPAA Security Rule compliance weaves risk analysis, administrative discipline, physical protections, technical controls, security incident response, and continuous auditing into one program. By aligning safeguards to your environment and documenting each decision, you make protection of ePHI both reliable and sustainable.

FAQs

What are the key administrative safeguards under the HIPAA Security Rule?

They include a security management process (risk analysis, risk management, sanctions, activity review), assigned security responsibility, workforce security and information access management, security awareness and training, security incident procedures, contingency planning, periodic evaluations, and business associate management with appropriate agreements.

How often must covered entities perform risk assessments?

The Security Rule expects an ongoing process, not a one‑time task. You should complete a comprehensive risk analysis initially, update it whenever technology, operations, or threats materially change, and review it on a regular cadence (many organizations do so at least annually) to ensure controls remain reasonable and appropriate.

What technical safeguards are required to protect ePHI?

Technical safeguards cover access control (unique IDs, emergency access, automatic logoff, encryption where appropriate), audit controls (logging and review), integrity protections, person or entity authentication, and transmission security for ePHI in transit. In practice, organizations also employ multi-factor authentication, encryption at rest, and network segmentation based on their risk analysis and implementation specifications.

How should covered entities respond to security incidents?

Follow a documented plan: prepare roles and playbooks, detect and analyze alerts quickly, contain affected systems, eradicate the cause, recover services and validate ePHI integrity, then conduct lessons learned and update your risk analysis. Determine whether a breach occurred and complete any required notifications, keeping thorough records of the entire response.