The HIPAA Security Rule requires healthcare providers to take steps to protect electronic protected health information (ePHI). It helps covered entities put the requirements laid out in the HIPAA Privacy Rule into practice by implementing various controls to protect sensitive information. 

Under the Security Rule, covered entities must also complete a risk assessment and document and then implement specific administrative, physical, and technical safeguards. 

Which covered entities are required to follow the Security Rule?

The Security Rule applies to any organization that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. These covered entities include: 

  • Healthcare providers
  • Health insurance companies and employer-sponsored health plans
  • Healthcare clearinghouses
  • Third-party medical service providers (Business Associates)

Who enforces the Security Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules. 

The OCR investigates complaints, conducts compliance reviews, and educates HIPAA covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches. 

How to comply with the HIPAA Security Rule

It’s important to note that HIPAA legislation doesn’t specify exact controls or tools that need to be in place for compliance. The law focuses more on what healthcare organizations should do to protect patient data rather than the specifics of how it needs to be accomplished. Different organizations have different systems, needs, and resources, and a national hospital system is likely to have much different security measures in place than a small family practice. 

That said, all healthcare providers must complete a risk assessment to identify vulnerabilities and threats to PHI and create an effective plan to protect against potential risks. That plan must include a set of administrative, physical, and technical safeguards to secure PHI.

Risk analysis 

Covered entities and business associates are required to complete a formal risk analysis before implementing any specific safeguards. This ensures the organization fully understands its specific risk factors so that management can design and implement appropriate and effective safeguards. 

Administrative safeguards

Administrative safeguards involve any administrative actions to protect ePHI. These include establishing and maintaining defined security policies and processes and training staff on data security standards and privacy best practices. Organizations also need to designate an individual who will be responsible for ensuring ongoing compliance with the Security Rule, as well as conduct periodic assessments to evaluate how well safeguards are working to protect PHI.  

Physical safeguards

Physical safeguards address physical access and storage of PHI. All PHI and electronic information systems must be protected from unauthorized access. Healthcare organizations must have a plan in place to protect PHI from natural and environmental hazards and unauthorized access, as well as have a contingency plan in place to continue operations in the event of an incident. Physical safeguards should cover both access to facilities and departments as well as access to specific workstations and devices. 

Technical safeguards

Technical safeguards concern the technologies that store and access ePHI. These can include access control and monitoring, multi-factor authentication, encryption, firewalls, device management, and endpoint security. Integrity controls also ensure PHI isn’t improperly altered or disposed of, and transmission security controls protect against unauthorized access when PHI is transmitted. 

Maintain HIPAA compliance with Secureframe

Secureframe takes the stress out of following the Security Rule and keeping PHI safe. With built-in data privacy and security training, automated control monitoring, and simplified vendor and BAA management, you can rest easy knowing you’re fully compliant with HIPAA rules. Learn more about Secureframe’s HIPAA compliance solution


What is the HIPAA Security Rule and its safeguards?

The HIPAA Security Rule is a set of regulations established to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). It outlines three main categories of safeguards that covered entities and their business associates must implement to protect ePHI: administrative, physical, and technical.

What are some examples of administrative safeguards required by the HIPAA Security Rule?

Examples of administrative safeguards required by the HIPAA Security Rule are:

  • Performing risk analysis on an ongoing basis
  • Implementing security measures that reduce risks and vulnerabilities
  • Designating a security official who is responsible for developing and implementing its security policies and procedures
  • Implementing policies and procedures for managing access to ePHI
  • Providing security awareness training for employees

What is the purpose of the HIPAA Security Rule?

The purpose of the HIPAA Security Rule is to operationalize the protections for electronic protected health information contained in the Privacy Rule. It does so by providing the technical and non-technical safeguards that covered entities are required put in place to protect the privacy of individuals' health information while allowing these entities to adopt new technologies to improve the quality and efficiency of the care they provide.

Who must follow the HIPAA Security Rule?

The HIPAA Security Rule applies to covered entities and their business associates, meaning:

  • health plans that provide or pay the cost of medical care
  • health care providers who electronically transmit health information in connection with HIPAA-regulated transactions, like claims
  • health care clearinghouses that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content) or vice versa
  • business associates that perform certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of PHI

Who is exempt from HIPAA Security Rule?

Life insurers, employers, workers compensation carriers, most schools and school districts, many state agencies like child protective service agencies, most law enforcement agencies, and many municipal offices are exempt from the HIPAA Security Rule, even though they may have health information about you.