PHI Safeguard Requirements: HIPAA Security Rule and NIST 800-66 Checklist

HIPAA Security Rule Overview

The HIPAA Security Rule sets baseline protections for electronic protected health information (ePHI). It requires you to ensure the confidentiality, integrity, and availability of ePHI while protecting against reasonably anticipated threats and impermissible uses or disclosures.

Covered entities and business associates must adopt security measures that fit their size, complexity, and capabilities. The rule includes “required” and “addressable” specifications, so you tailor controls through documented risk management rather than a one-size-fits-all approach.

• Scope: systems, applications, devices, and vendors that create, receive, maintain, or transmit electronic protected health information (ePHI).
• Core principles: risk-based safeguards, minimum necessary access, ongoing evaluation, and documented policies and procedures.
• Outcome: a defensible security risk assessment and program that aligns people, processes, and technology.

Administrative Safeguards

Core requirements

• Security management process: conduct a security risk assessment, implement risk management plans, and apply sanctions for violations.
• Assigned security responsibility: name a security official accountable for the program.
• Workforce security and training: authorize, supervise, and train workforce members; manage terminations promptly.
• Information access management: grant role-based access in line with the minimum necessary standard.
• Security incident procedures: detect, report, and respond; document lessons learned.
• Contingency planning: maintain data backup, disaster recovery, and emergency mode operation plans; test and revise routinely.
• Evaluation: perform periodic technical and nontechnical evaluations of safeguards and policies.
• Business associate management: execute and monitor BAAs covering ePHI handling and safeguards.

Practical checklist

• Inventory systems and vendors touching ePHI; map data flows end to end.
• Document policies and procedures; review at least annually and upon major changes.
• Run phishing, privacy, and security awareness training; track completion and effectiveness.
• Align corrective actions to risk priority; verify completion and residual risk acceptance.

Physical Safeguards

Core requirements

• Facility access controls: define visitor procedures, access authorization, maintenance logs, and contingency access.
• Workstation use and security: specify acceptable use; position screens to reduce exposure; secure kiosks and shared areas.
• Device and media controls: sanitize, dispose, and track devices and media; maintain a record of movement and re-use.

Practical checklist

• Harden facility access controls with badges, keys, visitor logs, and surveillance proportional to risk.
• Implement cable locks, locked racks, and secured server rooms; label and inventory all assets.
• Standardize media sanitization (e.g., cryptographic erase) and certified disposal; document chain of custody.

Technical Safeguards

Core requirements

• Access control: unique user IDs, least privilege, session timeouts, emergency access, and encryption of ePHI at rest where appropriate.
• Audit controls: enable logging for systems handling ePHI; retain, review, and correlate logs across platforms.
• Integrity: protect ePHI from improper alteration with hashing, checksums, and change monitoring.
• Authentication: verify users and entities, preferably with multi-factor authentication.
• Transmission security: protect ePHI in transit using strong protocols, certificate management, and secure APIs.

Practical checklist

• Implement role-based access control and periodic access recertifications.
• Centralize logs; define alert thresholds for anomalous behavior and failed logins.
• Encrypt data at rest and in transit; manage keys securely and rotate on schedule.
• Segment networks; restrict administrative interfaces; patch routinely; test backups and restores.

NIST 800-66 Guide

NIST SP 800-66 translates the HIPAA Security Rule into actionable tasks and maps them to common security frameworks. Using it, you can build a HIPAA-aligned program that integrates policy, control selection, and continuous monitoring.

How 800-66 supports implementation

• Provides a crosswalk from HIPAA standards to practical safeguards and processes.
• Aligns with NIST risk methodologies (e.g., asset-threat-vulnerability analysis) to drive measurable risk management.
• Encourages governance, metrics, and continuous improvement over checklist-only approaches.

NIST 800-66 checklist

• Establish governance: define roles, scope, and decision rights for PHI safeguard requirements.
• Profile your environment: inventory assets, data flows, and third parties that create, receive, maintain, or transmit ePHI.
• Select controls mapped to HIPAA safeguards; justify “addressable” choices with documented rationale.
• Implement controls with change management, testing, and user enablement.
• Measure: set KPIs/KRIs (e.g., mean time to revoke access, patch latency, audit review cadence).
• Monitor and improve: conduct periodic evaluations and update policies, procedures, and configurations.

Risk Analysis Requirement

A risk analysis is the foundation of your security program and must be comprehensive, accurate, and documented. It identifies where ePHI resides, what can go wrong, how likely it is, and the potential impact—so you can prioritize remediation.

How to run a security risk assessment

• Define scope: systems, applications, devices, cloud services, integrations, and physical locations handling ePHI.
• Identify threats and vulnerabilities: human error, insider misuse, third-party risk, misconfigurations, and service outages.
• Evaluate current controls: access control, audit controls, transmission security, backups, and incident response.
• Determine likelihood and impact; rate inherent and residual risk; assign owners and timelines.
• Document risk management decisions, acceptance criteria, and validation steps.
• Update the analysis upon significant changes and on a regular cadence; track progress to closure.

Documentation essentials

• Methodology and scope, asset inventory, data flow diagrams, and assumptions.
• Risk register with ratings, planned safeguards, and status.
• Evidence: policies, procedures, training records, test results, and approval logs.

Compliance and Enforcement

Compliance depends on governance, documentation, and verifiable execution. Maintain current policies and procedures, execute business associate agreements, train your workforce, monitor control performance, and keep evidence for audits.

HHS OCR enforces HIPAA through investigations, corrective action plans, and civil monetary penalties. Strong documentation, timely incident handling, and demonstrated risk management are your best defenses if an investigation occurs.

Program essentials

• Policy lifecycle: draft, approve, publish, train, attest, review, and revise.
• Access management: timely provisioning and deprovisioning, periodic reviews, and separation of duties.
• Incident and breach response: detect, contain, investigate root cause, notify as required, and implement corrective actions.
• Continuous evaluation: scheduled audits, tabletop exercises, control tests, and management reporting.

Conclusion

By aligning administrative, physical, and technical safeguards with a rigorous risk analysis and the NIST 800-66 checklist, you create a defensible, effective HIPAA Security Rule program. Focus on outcomes—reduced risk to ePHI, resilient operations, and clear evidence of compliance.

FAQs

What is the HIPAA Security Rule?

The HIPAA Security Rule is a federal regulation that requires safeguards to protect the confidentiality, integrity, and availability of ePHI. It mandates administrative, physical, and technical controls scaled to your organization’s size, complexity, and risks.

How does NIST 800-66 support HIPAA compliance?

NIST SP 800-66 provides practical guidance and mappings that translate HIPAA’s requirements into implementable controls and processes. It helps you design a risk-based program, select safeguards, measure effectiveness, and continually improve.

What are the key administrative safeguards for PHI?

They include a security management process (risk analysis and risk management), assigned security responsibility, workforce security and training, information access management, incident response procedures, contingency planning, periodic evaluations, and oversight of business associates.

How often must risk analysis be conducted?

Perform an initial comprehensive risk analysis, then update it regularly and whenever significant changes occur—such as new systems, workflows, or vendors that handle ePHI. The cadence should reflect your risk profile and support continuous improvement.