Which of the Following Is Not a HIPAA Security Safeguard? Quick Guide and Examples

Administrative Safeguards Overview

Administrative safeguards set the governance for how you manage risk to ePHI protection. If you face the question “Which of the following is not a HIPAA Security safeguard?”, start by remembering that these safeguards are policy- and process-driven, not just tools or buildings.

Your program should define roles, conduct a risk analysis, and establish access control policies that specify who may use systems and under what conditions. You also need security incident procedures and a contingency plan so you can detect, respond to, and recover from events that threaten confidentiality, integrity, or availability.

Key elements you must document

• Risk analysis and risk management to prioritize and mitigate threats to ePHI.
• Assigned security responsibility to a qualified leader with clear authority.
• Workforce security and information access management enforcing minimum necessary access.
• Security awareness and training covering phishing, passwords, and safe handling of ePHI.
• Security incident procedures for reporting, response, and post-incident review.
• Contingency plan with data backup, disaster recovery, and emergency mode operations.
• Ongoing evaluation to verify controls remain effective as your environment changes.

Practical steps that strengthen governance

• Publish and enforce access control policies with sanctions for violations.
• Maintain a risk register and map each risk to specific administrative, physical, or technical controls.
• Test your incident playbooks and contingency plan at least annually and after major changes.

Physical Safeguards Implementation

Physical safeguards protect the places and equipment where ePHI is created, received, maintained, or transmitted. They reduce the chance that someone can see, steal, or damage systems that store sensitive data.

Focus on facility access controls, workstation practices, and device and media controls. These measures ensure only authorized people can reach critical areas, and that hardware is positioned, used, moved, and disposed of securely.

Core physical controls

• Facility access controls: badges, visitor logs, locked server rooms, and documented after-hours access.
• Workstation use and security: screen placement, privacy filters, automatic logoff, and clean-desk rules.
• Device and media controls: inventory, encryption of laptops and portable drives, secure disposal, and validated re-use procedures.

Implementation tips

• Segment clinical areas and data centers; limit keys and badge permissions to least privilege.
• Standardize secure imaging, printing, and storage so ePHI doesn’t linger on local devices.
• Document chain-of-custody for hardware moves and use locked bins for media awaiting destruction.

Technical Safeguards Explained

Technical safeguards are the system-level controls that enforce who can access ePHI and how data is protected in transit and at rest. They include authentication, authorization, monitoring, and protective technologies aligned to your risk analysis.

Implement strong authentication and authorization, configure audit controls, preserve data integrity, and apply encryption standards for transmissions and (where appropriate) storage. These measures operationalize your access control policies and create reliable evidence of activity.

What to implement

• Access control: unique user IDs, role-based permissions, emergency access, and automatic logoff.
• Audit controls: centralized logging, alerts for anomalous access, and routine log review.
• Integrity protections: hashing, secure configuration baselines, and change monitoring.
• Person or entity authentication: strong passwords plus MFA to reduce account takeover.
• Transmission security: encryption standards such as modern TLS for data in motion and secure VPNs for remote connections.

Operational best practices

• Apply least privilege and regularly re-certify access, especially for privileged accounts.
• Use network segmentation and deny-by-default firewall rules around ePHI systems.
• Test backups and recovery to ensure availability even after ransomware or outages.

Identifying Non-HIPAA Security Measures

When a question asks, “Which of the following is not a HIPAA Security safeguard?”, choose the option that does not protect electronic health information or support the Security Rule’s administrative, physical, or technical categories. Controls about marketing, general workplace safety, or payment card processing are common decoys.

Examples of measures that are not HIPAA Security safeguards include:

• Marketing preferences, patient satisfaction surveys, or social media policies unrelated to ePHI protection.
• OSHA fire safety drills, ergonomic programs, or chemical handling procedures.
• PCI DSS controls for credit card data or retail anti-fraud checks.
• School privacy requirements under FERPA or general HR policies about vacation or dress code.
• Building amenities like parking lot lighting or lobby signage not tied to facility access controls.

As a quick test, ask: Does the measure manage risk to ePHI, control system or facility access, enforce authentication, enable audit controls, or define security incident procedures? If not, it’s likely outside HIPAA Security safeguards.

Common Misconceptions about HIPAA Safeguards

• Myth: HIPAA mandates specific brands or tools. Reality: It is risk-based; you select reasonable and appropriate controls for your environment.
• Myth: Encryption is optional. Reality: It is “addressable,” but if you don’t encrypt, you must implement equivalent protections and justify the decision.
• Myth: Paper records are fully covered by the Security Rule. Reality: The Security Rule targets electronic PHI; paper PHI is governed primarily by the Privacy Rule and physical practices.
• Myth: A single annual training is enough. Reality: You need ongoing awareness, defined access control policies, and routine evaluations.
• Myth: Logs exist, so you’re compliant. Reality: You must configure audit controls and actually review and act on findings.

Examples of HIPAA Security Failures

• Lost unencrypted laptop: A clinician’s device with ePHI is stolen. Safeguards that prevent: device and media controls, full-disk encryption, access control with MFA, and rapid security incident procedures.
• Improper media disposal: Old hard drives sold without wiping. Safeguards that prevent: documented device and media controls, certified destruction, and inventory accountability.
• Shared credentials: Staff reuse a generic login. Safeguards that prevent: access control policies, unique IDs, MFA, and audit controls that flag shared use.
• Unmonitored admin access: Privileged accounts access ePHI after hours unnoticed. Safeguards that prevent: audit controls with alerts, least privilege, and routine log review.
• Email phishing breach: Mailbox with ePHI is compromised. Safeguards that prevent: security awareness training, MFA, phishing-resistant authentication, and incident response playbooks.
• Server room left unlocked: Unauthorized person accesses equipment. Safeguards that prevent: facility access controls, visitor management, and surveillance with access reviews.

Bottom line: Align administrative governance, physical protections, and technical controls to your risk analysis. If a measure doesn’t advance ePHI protection—through access control, facility access controls, encryption standards, audit controls, or security incident procedures—it’s probably not a HIPAA Security safeguard.

FAQs

What are the three categories of HIPAA security safeguards?

Administrative, Physical, and Technical. Administrative safeguards set policies and oversight, Physical safeguards secure facilities, workstations, and devices, and Technical safeguards control system access, logging, integrity, and transmission security to protect ePHI.

How do technical safeguards protect ePHI?

They enforce who can access data, record who did what, and secure data against tampering or interception. Core measures include access control, audit controls, integrity protections, strong authentication, and encryption standards for data in transit and, when appropriate, at rest.

What distinguishes physical safeguards from administrative safeguards?

Physical safeguards are the tangible protections—facility access controls, workstation security, and device and media controls. Administrative safeguards are the policies, procedures, training, and risk management activities that direct how you select, implement, and monitor all controls.

How can organizations identify non-compliant security measures?

Map each control to a HIPAA Security category and your risk analysis. If a measure doesn’t reduce risk to ePHI, enable access control or audit controls, or support incident response and recovery, it’s likely non-compliant or out of scope. Validate with documented policies, testing, and periodic evaluations.