What Does the HIPAA Security Rule Require Covered Entities to Do? Key Requirements Explained

Implement Administrative Safeguards

The HIPAA Security Rule requires you to establish administrative safeguards that govern how your organization protects electronic Protected Health Information (ePHI). These measures align leadership, policy, and oversight so security is intentional, documented, and continuously improved.

Governance and Roles

Assign a security official who has authority to develop and enforce your security program. Define clear roles and responsibilities, including who approves access, who handles risk assessment, and who manages security incident response.

Risk Management Program

Use a documented risk analysis to identify threats and vulnerabilities to ePHI, then manage those risks to a reasonable and appropriate level. Prioritize remediation, set timelines, and track completion so decisions are transparent and defensible.

Access and Workforce Oversight

Adopt least-privilege, role-based access procedures and workforce clearance processes. Implement a sanction policy for violations and procedures for authorizing, changing, and terminating access promptly.

Business Associates and Contingency Planning

Execute business associate agreements (BAAs) that require appropriate safeguards for ePHI. Maintain contingency plans—data backup, disaster recovery, and emergency mode operations—to sustain critical functions during disruptions.

Security Incident Response and Documentation

Operate a formal security incident response process for triage, containment, eradication, and recovery. Evaluate potential breaches and document actions, rationale, and outcomes to demonstrate compliance.

Enforce Physical Safeguards

Physical safeguards protect the environments where ePHI is accessed, stored, or transmitted. Your objective is to control who can enter facilities, how workstations are used, and how devices and media are handled end to end.

Facility Access Controls

Restrict facility access to authorized personnel using badges, locks, and visitor procedures. Maintain facility security plans, emergency access procedures, and maintenance records to prove controls operate as intended.

Workstation and Device Protections

Define acceptable workstation use, including placement to reduce shoulder surfing, privacy screens, and secure docking. Physically secure servers, network gear, and clinical endpoints with locked rooms, cabinets, and cable locks.

Media Controls and Disposal

Track the movement of hardware and media that store ePHI. Back up data before relocation, and apply verifiable destruction methods—such as shredding, degaussing, or cryptographic erasure—before disposal or reuse.

Remote and Mobile Environments

Harden laptops and mobile devices with encryption and startup passwords, and store them in secured locations when not in use. Use tamper-evident seals or asset tags and maintain chain-of-custody records for sensitive equipment.

Apply Technical Safeguards

Technical safeguards focus on the systems that create, receive, maintain, or transmit ePHI. Your controls should blend access control, encryption, audit controls, integrity protections, and transmission security.

Access Control

Assign unique user IDs, enforce least privilege, and use role-based access control for clinical, billing, and admin functions. Provide emergency access procedures and implement automatic logoff to reduce unattended-session risk.

Encryption and Transmission Security

Encrypt ePHI in transit (for example, TLS for APIs, email gateways, and patient portals) and at rest on servers and endpoints. Even where encryption is “addressable,” it is a widely expected safeguard for modern threat landscapes.

Audit Controls and Monitoring

Enable audit logs across applications, databases, and operating systems to record who accessed what, when, and from where. Retain logs for investigation, correlate them in a SIEM, and review alerts for anomalous activity.

Integrity and Authentication

Protect ePHI from improper alteration with checksums, hashing, and tamper-evident logging. Verify user identity with strong authentication; multi-factor authentication for remote and privileged access dramatically strengthens defenses.

Conduct Risk Analysis and Management

Risk analysis and management are foundational. You must understand where ePHI resides, how it flows, and what could go wrong—then treat the risks to an acceptable level and reassess regularly.

Scope and Inventory

Inventory systems, applications, interfaces, and third parties that create or touch ePHI. Map data flows to identify storage locations, transmission paths, and dependencies that could expose sensitive information.

Analyze Threats and Vulnerabilities

Evaluate threats (e.g., phishing, ransomware, insider misuse) and vulnerabilities (e.g., unpatched systems, weak access control). Estimate likelihood and impact to prioritize risks that could materially affect confidentiality, integrity, or availability.

Prioritize and Treat Risks

Select controls—technical, physical, and administrative safeguards—to reduce risk to a reasonable and appropriate level. Document decisions, risk owners, timelines, and acceptance of residual risk where justified.

Ongoing Review and Updates

Reassess risks at least annually and after significant changes, incidents, or new systems. Validate that chosen controls work in practice through testing, metrics, and independent review.

Develop Security Policies and Procedures

Policies set expectations; procedures specify how you execute them. Together they standardize behavior, support accountability, and produce the documentation you need for audits.

Policy Framework and Governance

Create a coherent policy set covering access control, encryption, incident response, vulnerability management, and acceptable use. Ensure executive approval and align policies with operational realities.

Procedure Detail and Workflows

Translate policies into step-by-step procedures for provisioning, change management, patching, backup, and recovery. Include triggers, roles, and escalation paths so staff can act quickly under pressure.

Documentation and Retention

Record policies, procedures, evaluations, and actions, and retain them for at least six years from the date of creation or last effective date. Version, date, and review documents to maintain a clear compliance trail.

Vendors and Business Associates

Integrate vendor risk reviews with BAAs, ensuring business associates apply appropriate administrative, physical, and technical safeguards. Specify reporting timelines and cooperation for investigations and remediation.

Security Incident Response Planning

Document a security incident response plan that covers detection, containment, eradication, recovery, and post-incident review. Define breach assessment steps and communications to align with regulatory reporting obligations.

Train Workforce Members

Workforce training embeds security into daily operations. You should educate staff on recognizing threats, handling ePHI correctly, and executing security incident response promptly.

Role-Based and Ongoing Education

Provide onboarding training before granting system access, then deliver periodic refreshers. Tailor modules for clinicians, billing, IT, and executives, with deeper content for privileged users and administrators.

Practical Skills and Reinforcement

Cover phishing recognition, secure messaging, password hygiene, and safe use of mobile devices. Reinforce learning with simulations, micro-lessons, and clear job aids that translate policy into action.

Accountability and Evidence

Track attendance, dates, and results of knowledge checks to show effective workforce training. Address gaps with targeted follow-ups and sanctions when necessary to drive consistent behavior.

Monitor and Audit Security Controls

After controls are in place, you must verify they work. Monitoring and audit controls detect anomalies early, guide corrective action, and demonstrate compliance over time.

Continuous Monitoring and Logging

Centralize logs, set alert thresholds, and review high-risk events like failed logins, privilege changes, and large data exports. Test alerts to ensure the right people receive and act on them quickly.

Vulnerability and Patch Management

Scan systems regularly, remediate critical findings promptly, and validate fixes. Track patch service-level objectives and exceptions, and re-scan to confirm closure.

Assessments and Testing

Conduct periodic internal audits, configuration reviews, and targeted penetration testing. Validate backup restores and disaster recovery exercises to prove availability safeguards function under stress.

Metrics and Reporting

Measure time to detect, time to contain, patch cadence, and phishing click rates. Report trends to leadership, capture lessons learned, and update safeguards as your environment evolves.

Conclusion

The HIPAA Security Rule expects you to protect ePHI through coordinated administrative, physical, and technical safeguards, guided by ongoing risk assessment. With strong policies, workforce training, encryption, access control, and audit controls, you can manage threats pragmatically and prove compliance.

FAQs

What are the main categories of HIPAA Security Rule safeguards?

The three main categories are administrative safeguards, physical safeguards, and technical safeguards. Together they address governance and process, facility and device protections, and system-level controls for ePHI.

How must covered entities conduct risk management?

After performing a comprehensive risk analysis, you must implement measures that reduce identified risks and vulnerabilities to a reasonable and appropriate level. Document decisions, assign owners and timelines, monitor progress, and reassess after changes or incidents.

What technical measures protect ePHI?

Key measures include access control with unique IDs and least privilege, multi-factor authentication for sensitive or remote access, encryption in transit and at rest, audit controls and log review, integrity protections, automatic logoff, and secure transmission using modern protocols.

How often should security training occur?

Provide training at hire or before granting access to ePHI, then refresh at least annually. Add role-based updates when systems or threats change and targeted refreshers after incidents or risk findings.