What Does the HIPAA Security Rule Require? Safeguards, Risk Analysis, and Compliance Essentials

The HIPAA Security Rule sets national standards to protect electronic Protected Health Information (ePHI). It requires you to implement administrative, physical, and technical safeguards; conduct risk analysis and risk management; train and hold your workforce accountable; review system activity; and document how you comply.

Implement Administrative Safeguards

Security management process

You must establish a process to prevent, detect, contain, and correct security violations. This includes an enterprise risk analysis and a documented risk management plan, which drive control selection and ongoing monitoring. See the dedicated section below for how to execute risk analysis and management.

Assigned security responsibility

Designate a security official with authority to develop, approve, and enforce the security program. Give this role clear ownership of policies, metrics, and coordination with privacy, compliance, and IT operations.

Information access management

Define who may create, read, update, or delete ePHI using role-based access and least privilege. Establish request, approval, and periodic access recertification workflows to keep permissions aligned with job duties.

Security awareness and workforce training programs

Provide initial and periodic training that covers phishing, secure use of devices, incident reporting, and handling ePHI. Tailor content by role, track completion, and reinforce with simulated exercises and just-in-time tips.

Security incident response

Maintain a security incident response plan that specifies triage, containment, investigation, recovery, and post-incident review. Define severity levels, on-call procedures, evidence handling, and criteria for breach notification.

Contingency planning

Implement and test a data backup plan, disaster recovery plan, and emergency mode operations. Specify Recovery Time and Recovery Point Objectives for systems that store or process ePHI and validate them through exercises.

Evaluation

Perform periodic technical and nontechnical evaluations of your safeguards. Trigger ad‑hoc evaluations after major changes such as a new EHR, a cloud migration, or a merger.

Business associate oversight

Identify vendors that create, receive, maintain, or transmit ePHI and execute business associate agreements. Require appropriate safeguards, incident reporting, and right-to-audit clauses, and review them regularly.

Required vs. addressable specifications

Some implementation specifications are “required”; others are “addressable.” Addressable does not mean optional—you must assess reasonableness, implement if appropriate, or document a suitable alternative that yields equivalent protection.

Establish Physical Protections

Facility access controls

Limit physical access to data centers, wiring closets, and records rooms while ensuring authorized access is available. Use badges, visitor logs, cameras, and escort procedures, and maintain maintenance and repair records.

Workstation use and security

Define acceptable use for desktops, laptops, and kiosks that handle ePHI. Position screens to reduce exposure, enable automatic locking, and restrict local administrative rights to reduce risk.

Device and media controls

Control the movement of servers, drives, and portable media. Require secure disposal, media re‑use sanitization, chain-of-custody tracking, and backup-and-restore validation before decommissioning assets.

Deploy Technical Security Measures

Access control mechanisms

Provide unique user IDs, enforce strong authentication (preferably MFA), and configure emergency access procedures. Use automatic logoff, session timeouts, and encryption at rest where feasible to protect ePHI.

Audit controls

Enable auditable event logging on applications, operating systems, databases, and network devices. Capture access, administrative actions, changes to permissions, and anomalous activity to support investigations and reviews.

Integrity and authentication

Protect ePHI from improper alteration or destruction through hashing, digital signatures, and write-once storage where appropriate. Verify person or entity identity before granting access to systems or data.

Transmission security

Safeguard ePHI in transit using TLS for network communications, secure email options, and VPNs for remote access. Apply integrity controls to detect tampering and disable insecure protocols and ciphers.

Conduct Risk Analysis and Risk Management

Define scope and inventory

Identify all systems, workflows, locations, vendors, and data flows that create, receive, maintain, or transmit ePHI. Map where data originates, how it moves, who accesses it, and where it is stored or backed up.

Identify threats and vulnerabilities

List relevant threats such as phishing, ransomware, insider misuse, power loss, and device theft. Catalog vulnerabilities like unpatched software, misconfigurations, shadow IT, or weak change control.

Analyze likelihood and impact

Estimate the likelihood of each threat exploiting a vulnerability and the impact on confidentiality, integrity, and availability. Use qualitative or quantitative scoring to derive risk levels and prioritize treatment.

Treat and monitor risk

Select safeguards to avoid, mitigate, transfer, or accept risk, and document residual risk. Align actions to budget and timelines, assign owners, and track progress, metrics, and control effectiveness.

Integrate a risk management framework

Embed the process into an established risk management framework to ensure consistency and continuous improvement. Tie findings to security policy enforcement, investment decisions, and board-level reporting.

Continuous review

Revisit risk analysis at least annually and after significant changes or incidents. Update your asset inventory, threat landscape, and control set so protections evolve with your environment.

Enforce Workforce Sanctions

Security policy enforcement

Adopt a written sanctions policy that defines prohibited behaviors, severity tiers, and corresponding actions. Apply it consistently across roles to deter noncompliance and reinforce accountability.

Progressive discipline and fairness

Use progressive steps—coaching, retraining, warning, suspension, or termination—based on intent and impact. Pair sanctions with corrective actions to reduce recurrence and improve control adherence.

Documentation and follow‑through

Document each incident, investigation, decision, and outcome. Feed lessons learned into workforce training programs and process fixes to strengthen your overall security posture.

Perform Information System Activity Reviews

What to review

Regularly review audit logs, access reports, exception reports, and security alerts. Correlate events across applications, EHRs, identity systems, and network security tools to find risky patterns.

How often to review

Set a risk-based cadence: automated real-time alerting for critical events, daily or weekly targeted reviews for high-risk systems, and monthly management summaries. Adjust frequency after incidents or major changes.

From findings to action

Track findings to closure with owners and deadlines. Escalate confirmed issues through security incident response, update controls, and re-train affected teams when necessary.

Maintain Compliance Documentation

What to retain

Maintain policies and procedures, risk analyses, risk management plans, training records, sanctions records, system activity review results, incident and breach reports, contingency plans, and vendor agreements.

Retention, versioning, and evidence

Retain documentation for at least six years from creation or last effective date. Use version control, approval records, and timestamps, and keep evidence such as screenshots, configurations, and test results.

Operationalizing documentation

Embed documentation into daily workflows so practice matches policy. Align procedures with access control mechanisms, audit controls, and change management to produce consistent, auditable outcomes.

Conclusion

The HIPAA Security Rule requires a living program: solid safeguards, a disciplined risk process, trained people, active monitoring, and complete records. When you integrate these elements, you protect ePHI and sustain compliance over time.

FAQs.

What are the key safeguards required by the HIPAA Security Rule?

The Rule organizes requirements into administrative, physical, and technical safeguards. You must manage risk, assign security responsibility, train your workforce, enforce sanctions, control facility and device access, and implement access control mechanisms, audit controls, integrity protections, authentication, and transmission security for ePHI.

How is a risk analysis conducted under the Security Rule?

Scope all ePHI assets and data flows, identify threats and vulnerabilities, assess likelihood and impact, and prioritize risks. Then implement and document treatments within a risk management framework, monitor effectiveness, and update the analysis at least annually and after significant changes or incidents.

What documentation is required for HIPAA compliance?

Maintain written policies and procedures; risk analyses and risk management plans; workforce training programs and sanctions records; system activity review results; security incident response records; contingency plans and test results; configurations and change logs; and business associate agreements, retained for six years.

How often should entities review information system activity?

Use a risk-based schedule: real-time alerting for critical events, daily or weekly reviews for high-risk systems, and monthly summaries for leadership. Increase frequency after incidents, upgrades, or when monitoring reveals emerging threats.