The HIPAA Security Rulesets national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards that keep ePHI confidential, intact, and available. Where the Privacy Rule sets the "what," the Security Rule sets the "how" for electronic data.
The HIPAA Security Rule establishes national standards for protecting electronic protected health information. It was issued by the US Department of Health and Human Services under HIPAA's Administrative Simplification provisions and works hand in hand with the Privacy Rule.
Its requirement is, in essence, three words: confidentiality, integrity, and availability. Covered entities and business associates must ensure the ePHI they handle stays private, is not improperly altered or destroyed, and is accessible when needed. The rule is deliberately technology-neutral and scalable, so the same standard applies to a solo practice and a national health plan, with the specifics tuned by a risk analysis.
"The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI."
ePHI is not available or disclosed to unauthorised people or processes.
ePHI is not improperly altered or destroyed.
ePHI is accessible and usable on demand by an authorised person.
The Security Rule applies to electronic protected health information (ePHI): protected health information that a covered entity or business associate creates, receives, maintains, or transmits in electronic form. Paper records and purely oral communications fall under the Privacy Rule but outside the Security Rule.
The same two groups are bound as the rest of HIPAA: covered entities and their business associates. Since the 2013 Omnibus Rule, business associates, including cloud hosts and SaaS vendors that store or process ePHI, are directly liable for implementing the safeguards themselves, not merely bound by contract.
The Security Rule organises its requirements into three families of safeguards. Each contains standards, and each standard has implementation specifications that are required or addressable.
The policies and procedures that manage security. The largest category, and the one that contains the risk analysis.
The physical measures that protect electronic systems and the buildings and equipment that house them.
The technology and the policies for its use that protect ePHI and control access to it.
Beyond the three safeguard families, the rule also sets organisational requirements (such as business associate contracts) and policies, procedures, and documentation requirements, including a six-year retention period for the documentation.
This is the most misunderstood part of the Security Rule. "Addressable" does not mean optional.
You must implement the specification exactly as written. There is no discretion: a required implementation specification is mandatory for every covered entity and business associate.
You must assess whether the specification is reasonable and appropriate for your environment, then either implement it, or document why it is not and implement an equivalent alternative that achieves the same goal. You must address it, not skip it.
The classic example is encryption: it is addressable, which means a covered entity that chooses not to encrypt must document a sound rationale and an equivalent safeguard. In practice, unencrypted ePHI is a frequent factor in breach penalties, so most organisations implement it.
If you do one thing under the Security Rule, do the risk analysis. Required by the administrative safeguards at 45 CFR 164.308(a)(1), it is an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI you hold.
Every other safeguard decision flows from it: the analysis tells you where your risks are, and risk management is the work of reducing them to a reasonable and appropriate level. It is also the single document OCR requests first in almost every investigation, and the absence of a current, thorough risk analysis is one of the most common and costly findings.
A risk analysis is not a one-time event. It must be kept current, reviewed periodically, and updated after material changes to your systems, your environment, or your ePHI footprint.
The two foundational HIPAA rules are complementary. The Privacy Rule decides who can touch the data; the Security Rule decides how the electronic copy is protected.
| Aspect | Privacy Rule | Security Rule |
|---|---|---|
| Scope of data | All PHI (oral, paper, electronic) | Electronic PHI only (ePHI) |
| Focus | Use, disclosure, and patient rights | Safeguards for confidentiality, integrity, availability |
| Answers | Who may access PHI and why | How electronic PHI is protected |
For the full picture on the other half, see our guides to the HIPAA Privacy Rule and HIPAA as a whole.
Six steps, anchored on the risk analysis. The pattern is the same as every defensible security programme: know your assets, assess the risk, apply safeguards, and keep the evidence.
Map every system, application, device, and vendor that creates, receives, maintains, or transmits electronic PHI. The inventory is the foundation of a defensible risk analysis.
Assess the threats and vulnerabilities to the confidentiality, integrity, and availability of your ePHI, and document it. This is the cornerstone requirement and the first thing OCR asks for.
Apply administrative, physical, and technical safeguards to reduce risks to a reasonable and appropriate level, and document your decisions, including any addressable specifications you implement differently.
Designate a Security Officer, write the required policies and procedures, and train the workforce. Apply a sanction policy for violations.
Ensure Business Associate Agreements obligate vendors to protect ePHI, and confirm subcontractors are covered down the chain.
Re-evaluate periodically and after material changes, track remediation to closure, and retain documentation for six years. The burden of proof in an investigation is on you.
RiskWatch ships a pre-built HIPAA Security Rule risk analysis and safeguard assessment on a shared control library, scores every standard, tracks remediation to closure, and keeps the timestamped evidence OCR requests first.
The questions security and compliance teams ask on the way to a defensible programme.
A pre-built HIPAA Security Rule risk analysis and safeguard assessment, cross-mapped controls, remediation tracking, and a timestamped audit trail. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime
