The HIPAA Security Rule requires healthcare providers to take steps to protect electronic protected health information (ePHI). It helps covered entities put the requirements laid out in the HIPAA Privacy Rule into practice by implementing various controls to protect sensitive information.

Under the Security Rule, covered entities must also complete a risk assessment and document and then implement specific administrative, physical, and technical safeguards.

Which covered entities are required to follow the Security Rule?

The Security Rule applies to any organization that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud. These covered entities include:

Healthcare providers
Health insurance companies and employer-sponsored health plans
Healthcare clearinghouses
Third-party medical service providers (Business Associates)

Who enforces the Security Rule?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the main enforcer of the HIPAA Security Rule and Privacy Rule. State attorneys general and the Centers for Medicare and Medicaid Services (CMS) also have some authority to enforce HIPAA rules.

The OCR investigates complaints, conducts compliance reviews, and educates HIPAA covered entities about compliance requirements. It also investigates any data breaches that affect 500+ people as well as organizations that have had multiple smaller breaches.

How to comply with the HIPAA Security Rule

It’s important to note that HIPAA legislation doesn’t specify exact controls or tools that need to be in place for compliance. The law focuses more on what healthcare organizations should do to protect patient data rather than the specifics of how it needs to be accomplished. Different organizations have different systems, needs, and resources, and a national hospital system is likely to have much different security measures in place than a small family practice.

That said, all healthcare providers must complete a risk assessment to identify vulnerabilities and threats to PHI and create an effective plan to protect against potential risks. That plan must include a set of administrative, physical, and technical safeguards to secure PHI.

Risk analysis

Covered entities and business associates are required to complete a formal risk analysis before implementing any specific safeguards. This ensures the organization fully understands its specific risk factors so that management can design and implement appropriate and effective safeguards.

Administrative safeguards

Administrative safeguards involve any administrative actions to protect ePHI. These include establishing and maintaining defined security policies and processes and training staff on data security standards and privacy best practices. Organizations also need to designate an individual who will be responsible for ensuring ongoing compliance with the Security Rule, as well as conduct periodic assessments to evaluate how well safeguards are working to protect PHI.

Physical safeguards

Physical safeguards address physical access and storage of PHI. All PHI and electronic information systems must be protected from unauthorized access. Healthcare organizations must have a plan in place to protect PHI from natural and environmental hazards and unauthorized access, as well as have a contingency plan in place to continue operations in the event of an incident. Physical safeguards should cover both access to facilities and departments as well as access to specific workstations and devices.

Technical safeguards

Technical safeguards concern the technologies that store and access ePHI. These can include access control and monitoring, multi-factor authentication, encryption, firewalls, device management, and endpoint security. Integrity controls also ensure PHI isn’t improperly altered or disposed of, and transmission security controls protect against unauthorized access when PHI is transmitted.

Maintain HIPAA compliance with Secureframe

Secureframe takes the stress out of following the Security Rule and keeping PHI safe. With built-in data privacy and security training, automated control monitoring, and simplified vendor and BAA management, you can rest easy knowing you’re fully compliant with HIPAA rules. Learn more about Secureframe’s HIPAA compliance solution.

What is the HIPAA Security Rule? Safeguards & Requirements Explained

Which covered entities are required to follow the Security Rule?

Recommended Reading

Who enforces the Security Rule?

How to comply with the HIPAA Security Rule

Risk analysis

Administrative safeguards

Physical safeguards

Technical safeguards

Maintain HIPAA compliance with Secureframe

HIPAA Overview

What is HIPAA Compliance and Why is it Important?

Who Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained

What is PHI Under HIPAA? Requirements for Compliance

HITRUST vs HIPAA: The Similarities and Differences Healthcare Organizations Need to Know

SOC 2 + HIPAA Compliance: The Perfect Duo for Data Security

HIPAA Rules & Requirements

How the HIPAA Privacy Rule Protects PHI

What is the HIPAA Security Rule? Safeguards & Requirements Explained

HIPAA Breach Notification Rule: What It Is + How To Comply

What Is the HIPAA Minimum Necessary Rule? + How to Comply

What is the HIPAA Omnibus Rule?

Achieving HIPAA Compliance

How to Become HIPAA Compliant in 7 Steps

HIPAA Compliance Costs in 2023

How to Create + Manage HIPAA Policies and Procedures

How To Conduct a HIPAA Risk Assessment in 6 Steps + Checklist

What Is a HIPAA Business Associate Agreement? [Free Template]

HIPAA Violations

Who Enforces HIPAA + How To Make Sure Your Business Is Compliant

HIPAA Violations: Examples, Penalties + 5 Cases to Learn From

HIPAA Exceptions: What Isn’t Covered by the Data Privacy Law?

Automating HIPAA Compliance

Manual vs. Automated: A Faster Way to HIPAA Compliance

The Cost Benefits of HIPAA Compliance Automation

Maintaining Continuous Compliance with HIPAA

HIPAA Tools & Resources

HIPAA Training Resources

HIPAA Checklists and Templates

Why Secureframe

Products

Features

Solutions

Top Frameworks

Audit Partners

Channel Partners

Become a Partner

Resources

Featured

Company

What is the HIPAA Security Rule? Safeguards & Requirements Explained

Which covered entities are required to follow the Security Rule?

Recommended Reading

Who enforces the Security Rule?

How to comply with the HIPAA Security Rule

Risk analysis

Administrative safeguards

Physical safeguards

Technical safeguards

Maintain HIPAA compliance with Secureframe

HIPAA Overview

What is HIPAA Compliance and Why is it Important?

Who Needs to be HIPAA Compliant? Covered Entities vs Business Associates Explained

What is PHI Under HIPAA? Requirements for Compliance

HITRUST vs HIPAA: The Similarities and Differences Healthcare Organizations Need to Know

SOC 2 + HIPAA Compliance: The Perfect Duo for Data Security

HIPAA Rules & Requirements

How the HIPAA Privacy Rule Protects PHI

What is the HIPAA Security Rule? Safeguards & Requirements Explained

HIPAA Breach Notification Rule: What It Is + How To Comply

What Is the HIPAA Minimum Necessary Rule? + How to Comply

What is the HIPAA Omnibus Rule?

Achieving HIPAA Compliance

How to Become HIPAA Compliant in 7 Steps

HIPAA Compliance Costs in 2023

How to Create + Manage HIPAA Policies and Procedures

How To Conduct a HIPAA Risk Assessment in 6 Steps + Checklist

What Is a HIPAA Business Associate Agreement? [Free Template]

HIPAA Violations

Who Enforces HIPAA + How To Make Sure Your Business Is Compliant

HIPAA Violations: Examples, Penalties + 5 Cases to Learn From

HIPAA Exceptions: What Isn’t Covered by the Data Privacy Law?

Automating HIPAA Compliance

Manual vs. Automated: A Faster Way to HIPAA Compliance

The Cost Benefits of HIPAA Compliance Automation

Maintaining Continuous Compliance with HIPAA

HIPAA Tools & Resources

HIPAA Training Resources

HIPAA Checklists and Templates