HIPAA Security Rule

The HIPAA Security Rule establishes standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Unlike the Privacy Rule, which covers all PHI, the Security Rule applies specifically to electronic data.

Citation: 45 C.F.R. Part 164 Subpart C

Sections: 41

Words indexed: 41,659

Applies to: All covered entities and business associates that create, receive, maintain, or transmit ePHI

Key Points

Requires a risk analysis to identify threats to ePHI (this is the #1 audit finding when missing)

Safeguards are divided into three categories: administrative, physical, and technical

Some specifications are 'required' and others are 'addressable' (must implement or document why an alternative is equivalent)

Workforce members must have unique user IDs and appropriate access levels

Audit controls must record and examine activity in systems containing ePHI

ePHI must be encrypted in transit and at rest (addressable but strongly recommended)

Key Areas

Administrative Safeguards

Risk analysis, workforce security, access management, training

Physical Safeguards

Facility access, workstation use, device controls

Technical Safeguards

Access control, audit controls, integrity, transmission security

Organizational Requirements

Business associate contracts, group health plans

Key Provisions

164.308

Administrative Safeguards

The largest section. Covers risk analysis, workforce security, access management, security awareness training, incident procedures, contingency planning, and evaluation.

164.310

Physical Safeguards

Facility access controls, workstation use and security, and device and media controls. Covers everything from server room locks to laptop disposal.

164.312

Technical Safeguards

Access controls (unique user IDs, emergency access), audit controls, integrity controls, person/entity authentication, and transmission security (encryption).

164.316

Policies and Documentation

All security policies must be documented, retained for 6 years, and made available to workforce members. If it's not written down, it doesn't exist for audit purposes.

All Regulation Sections

Part 164HIPAA: Security and Privacy(41)

Ask about HIPAA Security

Get AI-powered answers scoped to HIPAA Security regulations with verified citations.

Research HIPAA Security

Common Questions

Is encryption required under HIPAA?

Encryption is 'addressable,' not required. But if you choose not to encrypt, you must document why and implement an equivalent alternative. In practice, most organizations encrypt.

How often do I need to do a risk analysis?

HIPAA does not specify a frequency, but OCR expects it to be ongoing. Most compliance experts recommend annually and after any significant change to systems or operations.

What is the difference between required and addressable?

Required specifications must be implemented. Addressable means you must assess whether it is reasonable and appropriate; if not, you must document why and implement an equivalent measure.

Quick Reference

CFR Citation: 45 C.F.R. Part 164 Subpart C
Source: Electronic Code of Federal Regulations
Coverage: 41 sections, 41,659 words