HIPAA Security Rule

Posted By Steve Alder on Jan 29, 2026

The HIPAA Security Rule contains the security standards for the protection of electronic Protected Health Information (ePHI) that apply when a HIPAA covered entity or business associate creates, receives, transmits, or maintains ePHI in connection with an activity or function regulated by the HIPAA Administrative Simplification Regulations.

Rather than being a one-size-fits-all set of security standards, the HIPAA Security Rule allows a degree of flexibility with regard to what standards are implemented and how they are applied. It is also important to be aware that because ePHI is a subset of Protected Health Information, the HIPAA Privacy Rule still governs how ePHI can be used and disclosed.

Details of these variables are published in the General Requirements of the HIPAA Security Rule. Thereafter, the main standards and implementation specifications are listed in the Administrative, Physical, and Technical Safeguards, while other security-related HIPAA compliance standards appear in the Organizational and Documentation Requirements.

General Security Requirements

The General Security Requirements (§164.306) apply to all HIPAA Security Rule standards, implementation specifications, and safeguards. They stipulate that HIPAA covered entities and business associates must in each case:

• Ensure the confidentiality, integrity, and availability of ePHI,
• Protect against reasonably anticipated threats to the security and integrity of ePHI,
• Protect against reasonably anticipated uses or disclosures of ePHI not permitted by the HIPAA Privacy Rule, and
• Ensure compliance with the HIPAA Security Rule by members of the workforce.

HIPAA covered entities and business associates may use any security measures that allow the reasonable and appropriate implementation of the HIPAA Security Rule standards depending on the size, complexity, and capabilities of the organization, its existing technical infrastructure, the costs of security measures, and the probability and criticality of potential risks to ePHI.

There are also some implementation specifications that are “required” and others that are “addressable”. In most cases, an “addressable” implementation specification must be implemented unless it is not considered reasonable and appropriate in the circumstances, the circumstances are documented, and an equally effective measure is implemented in its place.

Note: While it may seem that opportunities exist for organizations to evade their compliance obligations, every decision about how the HIPAA Security Rule is complied with must be based on the outcome of a risk analysis and documented. Organizations that take shortcuts with compliance will face tougher consequences in the event of an avoidable data breach.

Administrative Security Safeguards

Although none of the Administrative Security Safeguards are more important than the others, the standard that many HIPAA covered entities and businesses associates appear to struggle with is the requirement to conduct a thorough risk analysis. This is according to data gathered by HHS’ Office for Civil Rights during compliance and breach investigations.

Due to concerns about the thoroughness and frequency of risk analyses, HHS’ Office for Civil Rights has published guidance on conducting risk analyses, and released an interactive Security Risk Assessment Tool. HIPAA covered entities and business associates are advised to review these resources to ensure their analyses fulfil the HIPAA Security Rule requirements.

Other areas of the Administrative Security Safeguards worth reviewing include the requirements for security awareness training, as this has to be provided in the context of the General Security Requirements, and the requirements for contingency planning. This is especially important when a healthcare provider is required to comply with CMS’ Emergency Preparedness Rule.

Physical Security Safeguards

The Physical Security Safeguards mostly relate to securing hardware on which ePHI is stored and controlling access to facilities in which hardware is located. However, the Safeguards were written at the turn of the Century before most types of system accessories stored memory caches in internal drives, and before workforce members had access to mobile devices.

Therefore, the Physical Security Safeguards do not only apply to servers and workstations. They also apply to printers, scanners, and fax machines, and to any removeable media on which ePHI is stored, such as USB flash drives. In this respect, maintaining an inventory of hardware and ensuring it is disposed of compliantly is more complicated than originally intended.

If workforce members are permitted to create, receive, store, or transmit ePHI via their personal devices, measures must be implemented to ensure that if a device is lost, stolen or disposed of it is possible to remotely wipe ePHI from the device. It may also be necessary to limit what apps workforce members can use on personal devices to mitigate the risk of malware infections.

Technical Security Safeguards

The Technical Security Safeguards have two main purposes. The first is to ensure workforce members are accountable for interactions with ePHI by assigning a unique identifier (usually a password) to each workforce member so their activities can be logged, monitored, and audited. Procedures also have to be in place for terminating access when workforce members leave.

One of the challenges of complying with this requirement is that the automatic log-off standard does not stipulate that log-off periods should be set for the minimum possible period of inactivity. To prevent scenarios in which workforce members use applications under a different user’s credentials, workforce members should be instructed to manually log out of applications.

The second purpose of the Technical Security Safeguards is to ensure the security and integrity of ePHI at rest and in transit. Most modern storage and communication services encrypt data by default. However, limitations may exist with regards to the extent of encryption, and how service providers resolve (for example) incompatible encryption types for ePHI in transit.

Other HIPAA Security Rule Requirements

Other HIPAA Security Requirements include the need for HIPAA covered entities to enter into Business Associate Agreements with business associates, and business associates to enter into Business Associate Agreements with subcontractors, to establish a custodial chain for ePHI. The content of Agreements must align with §164.504(e) of the HIPAA Privacy Rule.

Similar requirements exist for disclosures of ePHI by group health plans to plan sponsors, along with the measures plan sponsors must have in place to protect the confidentiality, integrity, and availability of ePHI. These HIPAA Security Rule requirements also have corresponding requirements for group health plans in §164.504(f) of the HIPAA Privacy Rule.

One of the last standards in the HIPAA Security Rule requires HIPAA covered entities and business associates to implement policies and procedures that support workforce compliance with the HIPAA Security Rule. The policies and procedures must be documented, made available to relevant members of the workforce, and retained for a minimum of six years from the date they are last in force.

The Importance of HIPAA Security Rule Compliance

It is important for HIPAA covered entities, business associates, and their workforces to comply with the HIPAA Security Rule because violations of the standards (or violations of policies implemented to support compliance with the HIPAA Security Rule) can have significant consequences for organizations, workforce members, and patients whose ePHI is exposed in a data breach.

Organizations that fail to comply with the HIPAA Security Rule can be fined by HHS’ Office for Civil Rights and State Attorneys General – an event which is more likely in the absence of a thorough risk assessment. Noncompliant HIPAA covered entities and business associates can also be taken to court by affected individuals using HIPAA’s expected duty of care to support claims of negligence and breach of contract.

Workforce members must be sanctioned for any violation of the HIPAA Privacy and Security Rules, or any violation of a security policy implemented to support compliance with the HIPAA Security Rule. Workplace sanctions vary depending on the nature of the violation and the motive behind it; but, when ePHI is accessed knowingly and wrongfully in violation of the Social Security Act, the event must be referred to law enforcement.

Patients whose ePHI is exposed in a data breach can suffer immediate health consequences if ePHI is not available for the provision of care when needed (for example, during a ransomware attack), short-term delays in care when a healthcare organization is recovering from a cyberattack, and long term consequences when stolen data is used to commit medical identity theft and corrupts the patient’s medical records.

Secondary and Tertiary Consequences of HIPAA Security Rule Violations

In nearly all circumstances, HIPAA Security Rule violations have secondary and tertiary consequences. For example, when a patient experiences a delay in treatment due to a cyberattack, they tend to lose trust in their healthcare providers. Due to the loss of trust, the patient is less willing to disclose sensitive information about their symptoms or comply with prescribed courses of treatment.

With less information to work with, healthcare providers are less able to make accurate diagnoses and prescribe effective courses of treatment, resulting in increased readmission rates and worse patient outcomes. The additional strain on resources and increased readmission rates incurs additional costs for healthcare organizations and reduces revenues from CMS’ value based care programs.

This means there is less money available to invest into the provision of healthcare, workplace facilities, and staff retention. The situation is exacerbated by worse patient outcomes resulting in lower staff morale, and the strain on resources increasing staff burnout. For these reasons, complying with the HIPAA Security Rule should be seen as more than a ticking the box exercise.

How to Mitigate the Risk of HIPAA Security Rule Violations

Even when a covered entity or business associate invests heavily in technical, physical, and administrative safeguards, the greatest vulnerability in any organization is its workforce. Most HIPAA Security Rule violations originate not from system failures, but from everyday lapses in judgment, convenience shortcuts, or a lack of awareness about how attackers exploit human behavior. For this reason, HIPAA-focused cybersecurity training for healthcare employees is the most effective way to reduce preventable incidents.

A core focus of training should be password security. Workforce members need to understand why passwords must be unique, complex, and never shared, even with colleagues or supervisors. Reusing credentials across systems or writing them down in accessible locations undermines every other safeguard the organization has in place.

Training should also reinforce the importance of logging out of devices, applications, and databases after use. Automatic log‑off settings help, but they cannot replace the expectation that workforce members actively terminate sessions, especially in shared work areas or fast‑paced clinical environments.

Social engineering remains one of the most common entry points for attackers. Employees should learn how to recognize phishing attempts, pretexting, and other manipulation tactics designed to obtain credentials or trick users into installing malware. This includes understanding the safe use of email, verifying senders, avoiding suspicious links or attachments, and reporting anything that seems unusual.

Finally, organizations must cultivate a culture in which workforce members feel responsible for reporting suspected security incidents and violations immediately. Early reporting allows security teams to contain threats before they escalate into breaches that compromise ePHI.

Effective HIPAA-focused cybersecurity training turns the workforce from the weakest link into a critical line of defense, significantly reducing the likelihood of HIPAA Security Rule violations.

HIPAA Security Rule FAQs

Why does the Security Rule have “required” and “addressable” safeguards?

Because the HIPAA Security Rule applies to many different types of organizations, it was felt that if all the safeguards were “required” safeguards it would place an unnecessary burden on many HIPAA covered entities and business associates. Consequently, the HIPAA Security Rule requires organizations to implement some safeguards, but allows a degree of flexibility with “addressable” safeguards if an existing or substitute measure achieves the objective of the safeguard with equal (or greater) protection, or it can be shown that the safeguard is not applicable in a specific scenario.

How can surveillance malware result in a breach of HIPAA?

Surveillance malware (also known as “spyware”) enables cybercriminals to log keystrokes such as login credentials for healthcare systems. With this information, cybercriminals can remotely access the systems and exfiltrate ePHI to commit identity theft and healthcare fraud. Other types of malware can impact the availability of ePHI (for example ransomware) or corrupt data so it is unreliable.

What prompted the changes to the HIPAA Security Rule in 2013?

Many of the changes to the HIPAA Security Rule were attributable to the passage of the HITECH Act in 2009. HITECH paved the way for CMS´ Meaningful Use incentive program and concerns existed that the increased adoption of technology may result in an increased incidence of data breaches, especially as more data would likely be transmitted between covered entities and business associates.

Will there likely be further changes to the Security Rule in the future?

While the text of the Security Rule has not changed since 2013, the way in which the Rule is applied has changed in response to the COVID-19 health emergency and also the Cybersecurity Safe Harbor provision in 2021. Changes to the HIPAA Security Rule are currently being discussed, and these may have an impact on the measures that must be implemented by covered entities and business associates in the near future.