The HIPAA Security Rule is a federal regulation that requires HIPAA Covered Entities and Business Associates to protect electronic protected health information through administrative, physical, and technical safeguards designed to preserve confidentiality, integrity, and availability.
The HIPAA Security Rule applies to electronic protected health information that a regulated entity creates, receives, maintains, or transmits in electronic media. It does not govern protected health information maintained or transmitted only on paper or spoken verbally, although those forms of protected health information remain subject to the HIPAA Privacy Rule and related organizational controls.
The HIPAA Security Rule establishes general requirements to safeguard electronic protected health information against reasonably anticipated threats, impermissible uses or disclosures, and workforce noncompliance. Regulated entities select security measures that are reasonable and appropriate based on their size, complexity, technical environment, costs, and the probability and potential impact of risks to electronic protected health information.
The safeguards framework is organized into administrative, physical, and technical safeguard standards. Administrative safeguards address governance and process controls such as conducting an accurate and thorough risk analysis, implementing risk management measures, assigning security responsibility, implementing workforce access controls, training the workforce, managing security incidents, and evaluating safeguards over time. Physical safeguards address facility access controls, workstation use and security, and device and media controls, including procedures for the movement, reuse, and disposal of hardware and electronic media that contain electronic protected health information. Technical safeguards address access controls, audit controls, integrity controls, person or entity authentication, and transmission security measures that protect electronic protected health information when it is transmitted over electronic networks.
The HIPAA Security Rule contains implementation specifications that are labeled as required or addressable. Required specifications are mandatory. Addressable specifications require an assessment of whether the specification is reasonable and appropriate in the entity’s environment, and when it is not, the entity must document the rationale and implement an equivalent alternative measure when appropriate to protect electronic protected health information.
Documentation is a compliance obligation. Policies and procedures adopted to meet the HIPAA Security Rule must be maintained in written or electronic form, retained for the required period, and updated to reflect environmental and operational changes. Documentation supports consistent execution, workforce training, audits, and incident response.
The HIPAA Security Rule works alongside the Rule HIPAA Privacy Rule and the HIPAA Breach Notification Rule. Security safeguards support permissible uses and disclosures by limiting access to authorized users and by reducing the likelihood of impermissible disclosures caused by system compromise, misconfiguration, or lost devices. When an impermissible acquisition, access, use, or disclosure involves unsecured protected health information, breach analysis and notifications may be required under the HIPAA Breach Notification Rule.