What Does the 2013 HIPAA Security Rule Require? Key ePHI Safeguards Explained

The 2013 HIPAA Security Rule sets national standards for safeguarding Electronic Protected Health Information (ePHI). It requires you to ensure the confidentiality, integrity, and availability of ePHI using a risk-based, flexible framework that scales to your size, technology, and threats.

Controls fall into administrative, physical, and technical safeguards supported by ongoing risk assessment, workforce oversight, contingency planning, and security incident procedures. Some specifications are required while others are addressable—meaning you must implement them or justify and document an effective alternative.

Administrative Safeguards

Security Management Process

Establish a repeatable process to identify risks to ePHI, prioritize them, and implement risk management actions. This includes documenting a Risk Assessment, tracking remediation, and reviewing system activity such as login attempts and audit logs.

Assigned Security Responsibility

Designate a security official accountable for developing, implementing, and enforcing your security program. Give this role authority to coordinate with leadership, IT, compliance, and legal.

Workforce Security and Information Access Management

Define how users are authorized, provisioned, and offboarded to maintain least-privilege Access Controls. Perform periodic access reviews, separate duties for sensitive tasks, and promptly revoke access when roles change.

Security Awareness Training

Provide ongoing Security Awareness Training for all workforce members. Cover phishing resistance, secure password practices, multi-factor authentication, malware prevention, mobile/remote work expectations, and reporting of suspected incidents.

Security Incident and Contingency Foundations

Maintain policies to detect, report, and respond to security incidents and ensure operations can continue during emergencies. You will build out the specifics in the dedicated Contingency Planning and Security Incident Procedures sections below.

Evaluation, BAAs, and Documentation

Conduct periodic evaluations of your security program, update controls when technology or threats change, and manage Business Associate Agreements to extend safeguards to partners. Thorough documentation demonstrates compliance and operational consistency.

Physical Safeguards

Facility Access Controls

Control physical entry to locations housing ePHI. Define and enforce:

• Contingency Operations: secure facility access during emergencies so critical services can continue safely.
• Facility Security Plan: locks, badges, cameras, and visitor management that match your risk profile.
• Access Control and Validation: verify roles before granting entry to sensitive areas.
• Maintenance Records: track physical changes, repairs, and inspections.

Workstation Use and Security

Specify acceptable use for desktops, laptops, and kiosks. Place screens to reduce shoulder-surfing, use privacy filters where needed, auto-lock when idle, and secure devices when unattended.

Device and Media Controls

Protect ePHI on portable media and hardware. Apply approved disposal and media re-use procedures, keep accountability logs for asset movement, and maintain secure data backup and storage to prevent loss.

Technical Safeguards

Access Controls

Enforce unique user IDs, role-based permissions, and emergency access procedures. Use automatic logoff where feasible and implement Data Encryption for ePHI at rest and in transit or document equivalent protections if an alternative is used.

Audit Controls

Enable logging to record access and activity involving ePHI. Centralize, retain, and regularly review logs from EHRs, databases, endpoints, and networks to detect anomalies and support investigations.

Integrity

Protect ePHI from improper alteration or destruction. Use checksums, hashing, write-protection, and change monitoring to validate data integrity across systems and transmissions.

Person or Entity Authentication

Verify that the person or system requesting access is who they claim to be. Strengthen authentication with multi-factor methods and secure credential lifecycle management.

Transmission Security

Safeguard ePHI moving over networks using encryption and integrity controls. Prefer modern protocols for email, APIs, and remote access, and restrict insecure channels or wrap them in secure tunnels.

Risk Analysis and Management

Define Scope and Inventory ePHI

Identify where ePHI is created, received, maintained, or transmitted, including cloud apps, backups, mobile devices, and third parties. Map data flows to reveal hidden exposure points.

Assess Threats and Vulnerabilities

Evaluate technical, physical, and administrative weaknesses against credible threats such as ransomware, phishing, lost devices, insider misuse, and service outages. Consider likelihood and impact to prioritize mitigation.

Treat Risks and Document Decisions

Select controls that reduce risks to reasonable and appropriate levels, assign owners and deadlines, and document rationale—especially when an addressable control like encryption is deferred or replaced.

Monitor, Reassess, and Improve

Revisit your Risk Assessment on a defined cadence and whenever major changes occur—new systems, mergers, incidents, or regulatory updates. Track metrics to confirm controls remain effective.

Workforce Training and Management

Build a Role-Based Program

Deliver baseline Security Awareness Training for all staff and deeper instruction for administrators, clinicians, developers, and support teams. Reinforce learning with short updates, simulations, and just-in-time coaching.

Set Expectations and Enforce

Publish clear policies for acceptable use, device handling, remote work, and incident reporting. Apply a graduated sanctions policy for violations and recognize positive security behaviors to shape culture.

Manage Access Through the Employee Lifecycle

Integrate HR, IT, and compliance to provision accounts, verify least privilege, review access regularly, and promptly deprovision on role change or separation. Monitor for orphaned or shared accounts.

Contingency Planning

Core Plans

• Data Backup Plan: perform routine, tested backups of ePHI with secure, offsite, and immutable options.
• Disaster Recovery Plan: restore systems and data after disruption to meet defined recovery objectives.
• Emergency Mode Operation Plan: keep essential functions running during crises with minimal, secure workflows.

Testing, Revision, and Criticality

Regularly test recovery procedures, refine plans based on results, and complete an applications and data criticality analysis to prioritize what must be recovered first.

Contingency Operations and Communications

Coordinate secure facility access during emergencies and maintain contact trees, vendor escalations, and downtime procedures. Encrypt backups and protect keys to prevent compounded losses.

Security Incident Procedures

Prepare and Detect

Define what constitutes a security incident, publish reporting channels, and deploy monitoring to surface suspicious activity. Ensure Audit Controls and alerting provide timely, actionable signals.

Respond and Recover

Quickly contain threats by disabling compromised accounts, isolating affected systems, and applying patches. Eradicate root causes, restore from known-good backups, and validate integrity before returning to service.

Assess, Notify, and Document

Perform a risk assessment of the incident’s impact on ePHI and follow applicable breach notification duties under HIPAA. Document actions taken, preserve evidence, and record lessons learned.

Improve and Prevent Recurrence

Update policies, tighten Access Controls, adjust Security Awareness Training, and feed insights into your Risk Management process. Track corrective actions to closure.

Conclusion and Key Takeaways

The 2013 HIPAA Security Rule requires a practical, risk-based program spanning administrative, physical, and technical safeguards for ePHI. Prioritize Risk Assessment, implement strong Access Controls and Data Encryption, verify with Audit Controls, train your workforce, prepare for disruptions, and refine through continuous evaluation.

FAQs

What are the main categories of HIPAA Security Rule safeguards?

The Security Rule organizes protections into three categories: Administrative Safeguards (governance, risk management, policies, and training), Physical Safeguards (facility, workstation, and device protections), and Technical Safeguards (access, audit, integrity, authentication, and transmission controls) for ePHI.

How do administrative safeguards protect ePHI?

Administrative safeguards set the foundation: you assess risks, assign security responsibility, manage workforce access, deliver Security Awareness Training, plan for incidents and contingencies, evaluate effectiveness, and extend protections through Business Associate Agreements—ensuring controls are applied consistently and documented.

What technical measures are required by the 2013 Security Rule?

Required measures include unique user identification, emergency access procedures, person or entity authentication, and Audit Controls. Other measures, such as automatic logoff and Data Encryption for ePHI at rest and in transit, are addressable—you must implement them when reasonable and appropriate or document equivalent, effective alternatives.