What is the HIPAA Security Rule?
The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
The Security Rule applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who conduct electronic transactions — and their business associates. If your technology company handles ePHI on behalf of a covered entity, you are a business associate and the Security Rule applies to you.
Who Must Comply
The Security Rule’s reach extends beyond hospitals and insurers to any organization that creates, receives, maintains, or transmits ePHI:
- Covered Entities — health plans, healthcare clearinghouses, and healthcare providers conducting standard electronic transactions
- Business Associates — any person or organization that performs functions or activities involving ePHI on behalf of a covered entity
- Business Associate Subcontractors — entities that create, receive, maintain, or transmit ePHI on behalf of a business associate
Three Safeguard Categories
The Security Rule organizes its requirements into three categories of safeguards. Each category contains standards, and each standard may have required or addressable implementation specifications.
| Safeguard Category | Standards | Focus |
|---|---|---|
| Administrative | Security management process, workforce security, information access management, security awareness training, security incident procedures, contingency planning, evaluation, BAAs | Policies, procedures, and organizational measures |
| Physical | Facility access controls, workstation use, workstation security, device and media controls | Physical access to facilities, workstations, and devices |
| Technical | Access control, audit controls, integrity controls, person/entity authentication, transmission security | Technology-based controls for ePHI access and protection |
Administrative Safeguards
Administrative safeguards are the policies and procedures that form the foundation of your security program. They account for more than half of the Security Rule’s requirements.
| Standard | Key Requirements |
|---|---|
| Security Management Process | Risk analysis, risk management, sanction policy, information system activity review |
| Workforce Security | Authorization and supervision, workforce clearance, termination procedures |
| Information Access Management | Access authorization, access establishment and modification, isolating healthcare clearinghouse functions |
| Security Awareness and Training | Security reminders, protection from malware, log-in monitoring, password management |
| Security Incident Procedures | Response and reporting |
| Contingency Planning | Data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision |
| Evaluation | Periodic technical and nontechnical evaluation |
| Business Associate Agreements | Written BAAs with all business associates and subcontractors |
Physical Safeguards
Physical safeguards protect the physical systems and facilities that store, process, or transmit ePHI.
| Standard | Key Requirements |
|---|---|
| Facility Access Controls | Contingency operations, facility security plan, access control and validation, maintenance records |
| Workstation Use | Specify proper functions and physical attributes of workstations accessing ePHI |
| Workstation Security | Physical safeguards for workstations that access ePHI |
| Device and Media Controls | Disposal, media re-use, accountability, data backup and storage |
Technical Safeguards
Technical safeguards are the technology-based protections that control access to ePHI and protect it during transmission and storage.
| Standard | Key Requirements |
|---|---|
| Access Control | Unique user identification, emergency access procedure, automatic logoff, encryption and decryption |
| Audit Controls | Hardware, software, and procedural mechanisms to record and examine activity in ePHI systems |
| Integrity Controls | Policies and procedures to protect ePHI from improper alteration or destruction |
| Person or Entity Authentication | Procedures to verify the identity of persons or entities seeking access to ePHI |
| Transmission Security | Integrity controls and encryption for ePHI transmitted over electronic networks |
Readiness Assessment Checklist
Before engaging with covered entities or responding to an OCR inquiry, evaluate where your organization stands against these readiness questions:
- Has a comprehensive risk analysis been completed and documented?
- Are access controls for all ePHI systems documented with role-based permissions?
- Is audit logging implemented across all systems that create, receive, maintain, or transmit ePHI?
- Are BAAs executed with all vendors and subcontractors who handle ePHI?
- Has the contingency plan been tested and are results documented?
- Is workforce security training documented with completion records for all staff?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our readiness process to understand how we help healthcare technology companies prepare for HIPAA Security Rule compliance.