What the HIPAA Security Rule Actually Requires
The HIPAA Security Rule is one of the most widely referenced—and most commonly misunderstood—compliance frameworks in regulated industries. Covered entities and business associates frequently confuse the Privacy Rule with the Security Rule, treat the requirements as a checkbox exercise, or overlook implementation specifications that carry real enforcement weight.
This post cuts through the noise. If you are a compliance manager, privacy officer, or executive at a healthcare organization or any entity that handles electronic protected health information (ePHI), this is the plain-language breakdown you need before your next risk analysis, OCR audit, or vendor review.
The Security Rule, codified at 45 CFR Parts 160 and 164, applies to all ePHI your organization creates, receives, maintains, or transmits. It is organized around three categories of safeguards: administrative, physical, and technical. Each category contains required and addressable implementation specifications. Required specifications must be implemented as written. Addressable specifications must either be implemented or documented with a reasonable alternative. That distinction matters more than most organizations realize.
Administrative Safeguards: The Foundation of Your Security Program
Administrative safeguards account for the largest portion of the Security Rule and govern how your organization manages the selection, development, implementation, and maintenance of security measures. They are the policy and process engine behind every technical control you deploy.
Security Management Process
This is the cornerstone requirement. You must implement policies and procedures to prevent, detect, contain, and correct security violations. Four implementation specifications fall under this standard, and all four are required:
- Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI. This is the single most commonly cited deficiency in OCR enforcement actions.
- Risk management: Implement security measures to reduce identified risks to a reasonable and appropriate level.
- Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with your security policies.
- Information system activity review: Regularly review records of information system activity, including audit logs, access reports, and security incident tracking.
If your organization has not completed a formal, documented HIPAA risk assessment, this is where to start. Every other element of your compliance program depends on it.
Assigned Security Responsibility
You must identify a security official responsible for developing and implementing your security policies and procedures. This is a required specification with no alternatives. The role does not need to be full-time or exclusively dedicated, but the responsibility must be formally assigned and documented.
Workforce Security
All three implementation specifications here are addressable: authorization and supervision, workforce clearance procedures, and termination procedures. In practice, most organizations implement all three because the alternatives are difficult to justify under scrutiny.
Information Access Management
This standard includes required specifications for isolating healthcare clearinghouse functions and addressable specifications for access authorization, establishment, and modification procedures. Role-based access control aligned to job function is the baseline expectation.
Security Awareness and Training
All four specifications—security reminders, protection from malicious software, log-in monitoring, and password management—are addressable. Despite being addressable, workforce training failures appear regularly in breach reports and enforcement settlements. Annual training alone is rarely sufficient.
Security Incident Procedures
You must have a documented process for identifying, responding to, and reporting security incidents. The response and reporting specification is required. Your incident response plan should align with your broader breach notification obligations under the HIPAA Breach Notification Rule.
Contingency Plan
This standard requires a data backup plan, a disaster recovery plan, an emergency mode operation plan, and testing and revision procedures. The criticality analysis specification is addressable. Many organizations treat contingency planning as an IT function—it is a compliance obligation with documented, testable requirements.
Evaluation
You must perform periodic technical and nontechnical evaluations in response to environmental or operational changes that affect the security of ePHI. The evaluation standard is required and is frequently overlooked during mergers, system migrations, and third-party integrations.
Business Associate Contracts
Any vendor or subcontractor that creates, receives, maintains, or transmits ePHI on your behalf must have a signed business associate agreement (BAA) that satisfies the Security Rule's requirements. This is required, not addressable. Failure to maintain current BAAs is among the most common findings in compliance reviews.
Physical Safeguards: Protecting the Spaces Where ePHI Lives
Physical safeguards govern access to the physical locations and devices that store or process ePHI. They are straightforward in concept but frequently underdocumented in practice.
Facility Access Controls
All four implementation specifications—contingency operations, facility security plan, access control and validation procedures, and maintenance records—are addressable. Your facility security plan should define who can access server rooms, workstation areas, and storage locations, and under what conditions.
Workstation Use
This required standard mandates policies specifying the proper functions performed on workstations that access ePHI, the manner in which those functions are performed, and the physical surroundings. Remote work environments have made this standard harder to enforce and more important to document.
Workstation Security
Also required, this standard mandates physical safeguards for all workstations that access ePHI, restricting access to authorized users only. Screen locks, physical cable locks, and clean-desk policies are common implementation approaches.
Device and Media Controls
Disposal and media re-use specifications are required. Data backup and accountability specifications are addressable. Every organization that handles ePHI on portable devices, hard drives, or removable media needs documented procedures for what happens when that equipment is retired, lost, or transferred.
Technical Safeguards: The Controls That Protect ePHI in Transit and at Rest
Technical safeguards are the security controls built into the information systems that create, receive, maintain, or transmit ePHI. They are where most organizations over-invest in technology while under-investing in documentation and governance.
Access Control
Unique user identification and emergency access procedures are required. Automatic logoff and encryption and decryption specifications are addressable. Every user who accesses ePHI must have a unique identifier. Shared credentials are a direct violation of this requirement and a common audit finding.
Audit Controls
This required standard mandates hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Logging is not enough—you must also have a process for reviewing those logs. Our post on data loss prevention covers how monitoring tools can support this requirement.
Integrity
The integrity standard requires policies and procedures to protect ePHI from improper alteration or destruction. The authentication mechanism specification is addressable. File integrity monitoring and checksums are common technical implementations.
Person or Entity Authentication
This required standard mandates procedures to verify that a person or entity seeking access to ePHI is who they claim to be. Multi-factor authentication satisfies this requirement and is now considered a baseline expectation in OCR guidance.
Transmission Security
Integrity controls are addressable. Encryption is addressable—but practically required in any environment where ePHI traverses public networks. If your organization transmits ePHI over email, web portals, or cloud platforms without encryption, you are carrying significant enforcement risk regardless of the technical classification of the specification.
Organizational Requirements and Policies
Beyond the three safeguard categories, the Security Rule includes organizational requirements covering business associate contracts and group health plan requirements, as well as a documentation standard. Policies and procedures must be maintained in written form, retained for six years from creation or last effective date, and made available to those responsible for implementation.
Documentation is where many organizations underperform. Our HIPAA Privacy and Security Compliance guide for healthcare administrators provides a practical reference for building the documentation foundation your program requires. For organizations that need a ready-to-use documentation package, the HIPAA Compliance Documentation Toolkit is a practical starting point.
How the Security Rule Connects to Broader Compliance Obligations
HIPAA Security Rule compliance does not exist in isolation. If your organization is a federal contractor or subcontractor that also handles controlled unclassified information, the Security Rule's risk management requirements have significant overlap with NIST SP 800-171 and CMMC obligations. Our IT compliance services team regularly works with organizations navigating both frameworks simultaneously.
For healthcare organizations that want strategic compliance leadership without the cost of a full-time hire, a Regulatory vCISO engagement provides the expertise to align your Security Rule program with current OCR enforcement priorities, manage your annual risk analysis cycle, and keep your technical and administrative controls audit-ready.
The Security Rule is not a compliance problem you solve once. It requires ongoing evaluation, documented updates when your environment changes, and consistent workforce engagement. Organizations that treat it as a one-time project consistently find themselves exposed when the environment changes around them.
Take the Next Step Toward Full HIPAA Security Rule Compliance
Whether you are building a Security Rule program from the ground up, preparing for an OCR audit, or trying to close gaps identified in a recent risk analysis, Cleared Systems has the expertise to get you there. Our team works with healthcare organizations, covered entities, and business associates to design programs that are defensible, documented, and built to scale. Request a quote today to speak with a compliance specialist about your organization's specific obligations and where your program stands.