The HIPAA Security Rule: What Covered Entities Must Do, Explained

The HIPAA Security Rule sets the baseline for how you safeguard Electronic Protected Health Information (ePHI). If you are a covered entity or business associate, your obligations span administrative, physical, and technical safeguards backed by ongoing Risk Analysis, documented policies, Workforce Training Programs, and strict access management.

This guide explains what covered entities must do, in practical steps you can apply to your environment—on‑premises, cloud, and hybrid—so ePHI remains confidential, intact, and available when needed.

Implement Administrative Safeguards

Purpose and scope

Administrative safeguards are the programs and processes that govern how you manage security. They align leadership, risk management, workforce behavior, and vendor oversight so technical controls actually work day to day.

Core requirements you must implement

• Assign security responsibility: designate a Security Official accountable for the program’s design, execution, and reporting.
• Perform a Risk Analysis and ongoing risk management to identify threats to ePHI and apply reasonable and appropriate controls.
• Workforce security and information access management: define who may create, read, update, or delete ePHI; document approvals and terminations.
• Security awareness and training: deliver initial and periodic education, phishing defense, and role-based modules tied to job duties.
• Security incident procedures: detect, respond, mitigate, and document incidents that could compromise ePHI.
• Contingency planning: maintain data backups, disaster recovery, and emergency mode operations plans; test them regularly.
• Periodic evaluation: assess your program whenever technology, operations, or risks change and at defined intervals.
• Business associate management: execute and manage BAAs; verify that vendors with ePHI implement equivalent safeguards.

Documentation essentials

Maintain written policies, procedures, approvals, and evidence such as risk registers, training logs, incident records, and test results. Keep versions and retain documentation for the required period.

Establish Physical Safeguards

Facility Access Controls

Limit and monitor physical entry to areas housing systems that store or process ePHI. Use visitor logging, badges, surveillance, and documented maintenance records. Ensure alternate access during emergencies without weakening overall security.

Workstation and endpoint protection

Define acceptable workstation use, screen privacy, and automatic locking. Secure devices with cable locks or cabinets, restrict ports where feasible, and standardize hardened build images for clinical and administrative endpoints.

Device and media controls

• Inventory all media containing ePHI (servers, laptops, removable drives, backups).
• Implement secure disposal and media reuse procedures to prevent data remanence.
• Control movement and transport with chain‑of‑custody and encryption for portable media.

Apply Technical Safeguards

Access controls

Grant the minimum necessary access. Use unique user IDs, enforce multi‑factor authentication, configure automatic logoff, and implement “break‑glass” emergency access with enhanced monitoring. Encrypt ePHI at rest where feasible; if you do not, document a reasonable and appropriate alternative.

Audit Controls

Enable system and application logging for all ePHI access, changes, and administrative actions. Centralize logs, protect them from tampering, retain them per policy, and review regularly with alerts for anomalous access patterns.

Integrity Controls

Protect ePHI from improper alteration or destruction. Use checksums or hashing, database integrity constraints, application‑level validation, and write‑once or versioned storage for critical records. Patch and configuration management support data integrity by reducing exploit risk.

Transmission Security

Safeguard ePHI in motion. Require strong encryption (for example, TLS) for portals, APIs, telehealth, and email gateways; disable insecure protocols; and validate mutual authentication for system‑to‑system connections. Verify that third‑party integrations meet your Transmission Security requirements.

Conduct Risk Assessments

Build a complete asset and data flow view

Inventory systems, applications, devices, users, vendors, and data stores that create, receive, maintain, or transmit ePHI. Map data flows, including cloud services and mobile endpoints, to ensure your Risk Analysis covers the full scope.

Analyze, prioritize, and treat risk

For each asset and process, identify threats and vulnerabilities, estimate likelihood and impact, and assign a risk rating. Choose treatments—mitigate, transfer, avoid, or accept—with clear rationale and deadlines tracked in a remediation plan.

Reassess when things change

Repeat assessments at defined intervals and upon significant changes such as new EHR modules, mergers, major outages, or novel threats. Update your risk register and verify that implemented controls reduce residual risk as intended.

Develop Compliance Policies

Translate requirements into action

Create concise policies and procedures for access provisioning, authentication, encryption, logging, incident response, contingency planning, vendor risk, workstation use, mobile/telehealth, and media disposal. Align procedures with workflows so staff can execute them reliably.

Keep policies current and provable

Version and approve documents, record training attestations, and retain policies and evidence for the required duration. Cross‑reference policies to the Security Rule to show how each safeguard is met and how exceptions are justified.

Manage Workforce Training

Design effective Workforce Training Programs

Deliver onboarding and periodic, role‑based training that explains how your staff protect ePHI in their specific tools and settings. Cover phishing, passwords and MFA, secure messaging, data handling, device care, and reporting suspected incidents.

Measure and improve

Track completion rates, quiz scores, phishing simulation outcomes, and incident reporting trends. Use the results to target refreshers, update content, and reinforce behaviors during audits and team meetings.

Enforce Access Controls

Least privilege in practice

Implement role‑based access control, restrict elevated privileges, and separate duties for provisioning and approval. Standardize request, approval, and removal steps with time‑bound access for vendors and temporary staff.

Authentication and lifecycle management

Require MFA for remote and privileged access, enforce strong passwords, and automate account creation, transfer, and termination based on HR events. Review access at regular intervals and document decisions.

Monitor and respond

Correlate authentication logs, Audit Controls, and EHR activity to spot anomalies. Investigate “break‑glass” events, excessive queries, or after‑hours access, and apply sanctions per policy when misuse occurs.

Conclusion

By operationalizing administrative, physical, and technical safeguards—anchored by a living Risk Analysis, solid policies, Workforce Training Programs, and disciplined access control—you create a defensible, resilient program that protects ePHI and withstands scrutiny.

FAQs

What are the key administrative safeguards under the HIPAA Security Rule?

They include assigning a Security Official; conducting a Risk Analysis and ongoing risk management; workforce security and information access management; security awareness training; incident response procedures; contingency planning; periodic evaluations; and oversight of business associates via BAAs and monitoring.

How do physical safeguards protect ePHI?

Physical safeguards control real‑world access to systems that handle ePHI. Facility Access Controls limit who enters sensitive areas, while workstation security and device/media controls prevent viewing, theft, or loss of data through unattended screens, unsecured hardware, or improperly disposed media.

What technical safeguards are required to secure electronic health information?

Core technical safeguards are access controls (unique IDs, MFA, auto‑logoff, encryption as appropriate), Audit Controls for logging and review, Integrity Controls to prevent unauthorized alteration, person or entity authentication, and Transmission Security to protect ePHI moving across networks.

What penalties do covered entities face for non-compliance?

Regulators can impose tiered civil monetary penalties per violation, require corrective action plans and ongoing monitoring, and enter resolution agreements. Serious or willful violations can trigger criminal exposure, including fines and potential imprisonment. Contracts, accreditation, insurance, and reputation can also be affected.