HIPAA Security Rule Explained: Standards and Requirements

The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards. It applies to covered entities—healthcare providers, health plans, and clearinghouses—as well as business associates that handle ePHI on their behalf.

This guide breaks down each category of safeguards, clarifies required vs. addressable specifications, and explains how organizations can achieve and maintain compliance—plus how a platform like Drata can help you operationalize HIPAA requirements and continuously monitor security controls.

What Is the HIPAA Security Rule?

The HIPAA Security Rule is the national standard that protects ePHI through three categories of safeguards: administrative, physical, and technical. It requires covered entities and business associates to:

• Conduct risk analyses and manage identified risks

• Implement access controls and authentication

• Use encryption where appropriate

• Maintain policies, procedures, and documentation for at least six years

The Security Rule centers on three core security objectives:

• Confidentiality: Only authorized individuals can access ePHI

• Integrity: ePHI remains accurate and unaltered except by authorized users

• Availability: Authorized users can access ePHI when they need it

Importantly, the rule is technology-neutral. Rather than mandating specific tools, it allows organizations to choose security measures that fit their size, complexity, and risk profile.

Who Must Comply with the HIPAA Security Rule?

Two groups fall under the Security Rule: covered entities and business associates.

Covered Entities

Covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information in connection with certain standard transactions.

Examples include:

• Hospitals and health systems

• Physician practices and clinics

• Dentists and specialized providers

• Health insurance issuers and Medicare programs

Business Associates

Business associates are third parties that create, receive, maintain, or transmit ePHI on behalf of covered entities.

Common examples include:

• Cloud storage and infrastructure providers hosting ePHI

• Billing and revenue cycle management companies

• IT service and support vendors

• SaaS platforms that process or store ePHI on behalf of covered entities

Business associates must comply with applicable Security Rule requirements and enter into Business Associate Agreements (BAAs) that spell out responsibilities for safeguarding ePHI.

What Information Does the HIPAA Security Rule Protect?

The Security Rule specifically protects electronic protected health information (ePHI)—any individually identifiable health information that is stored or transmitted electronically.

This is a subset of HIPAA protected health information (PHI), which also includes paper records and verbal communications. Health information becomes individually identifiable when it includes one or more personal identifiers, such as:

• Names

• Geographic data (addresses)

• Dates directly related to a person (birth date, admission date, etc.)

• Social Security numbers

• Medical record or account numbers

Examples of ePHI include:

• Patient records in EHR systems

• Billing data transmitted electronically

• Health information stored in cloud applications or backups

General Requirements Under the HIPAA Security Rule

Before diving into specific safeguards, the Security Rule establishes four overarching requirements for covered entities and business associates:

1. Protect confidentiality, integrity, and availability of ePHI

   • Guard against reasonably anticipated threats and hazards

2. Prevent unauthorized uses or disclosures

   • Put safeguards in place to block impermissible access

3. Ensure workforce compliance

   • Train employees and enforce security policies

4. Maintain flexibility and scalability

   • Adapt safeguards to the organization’s size, complexity, and risk environment

Administrative Safeguards

Administrative safeguards are the policies, procedures, and actions that govern how an organization manages ePHI security. They make up the largest portion of Security Rule requirements.

Security Management Process

Organizations must implement policies and procedures to prevent, detect, contain, and correct security violations. The foundation is a formal risk analysis and an ongoing risk management program based on those findings.

Assigned Security Responsibility

Each organization designates a single security official responsible for developing, implementing, and maintaining security policies and procedures.

Workforce Security

Workforce security policies ensure that only authorized individuals can access ePHI. This includes:

• Procedures for granting and modifying access

• Supervision and training of workforce members

• Revoking access promptly when roles change or employment ends

Information Access Management

Organizations must define role-based access to ePHI and establish how access rights are granted, modified, and revoked based on job responsibilities.

Security Awareness and Training

All workforce members must receive ongoing security awareness and training—not just a one-time session. Training typically covers:

• Recognizing and reporting security incidents

• Malware and phishing awareness

• Login and password management

• Appropriate use of systems and data

Security Incident Procedures

Organizations need documented procedures to identify, respond to, and document security incidents. When an incident occurs, there should already be a clear, repeatable response process.

Contingency Plan

Contingency planning addresses data backup, disaster recovery, and emergency operations so ePHI remains available during system failures or disasters.

Evaluation

Periodic evaluations assess whether security policies and procedures are effective and aligned with current risks and operations.

Business Associate Contracts

Covered entities must have written Business Associate Agreements (BAAs) with vendors that handle ePHI, ensuring they appropriately safeguard ePHI and comply with the Security Rule.

Physical Safeguards

Physical safeguards protect facilities, equipment, and other physical resources that store or process ePHI.

Facility Access Controls

Facility access controls limit who can physically enter areas containing systems that handle ePHI. Policies typically cover:

• Physical security plans

• Access validation and authorization procedures

• Contingency operations for emergencies

Workstation Use and Security

Organizations must define acceptable workstation use and implement physical safeguards to prevent unauthorized individuals from viewing or accessing ePHI.

Device and Media Controls

Policies must govern how hardware and electronic media containing ePHI are received, moved, reused, and disposed of. This includes:

• Secure disposal and destruction procedures

• Removal of ePHI before reusing devices

• Data backup requirements before devices change hands

Technical Safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it.

Access Control

Technical access controls ensure only authorized users and software programs can access ePHI. Common mechanisms include:

• Unique user IDs and strong authentication

• Emergency access procedures

• Automatic session timeouts and logoff

• Encryption of ePHI at rest and in transit where appropriate

Audit Controls

Audit controls record and examine activity in systems containing ePHI. Audit trails support:

• Detection of unauthorized access

• Incident investigations

• Regulatory and internal reporting

Integrity Controls

Integrity controls protect ePHI from improper alteration or destruction and help verify that data hasn’t been changed inappropriately.

Person or Entity Authentication

Authentication procedures verify that anyone seeking access to ePHI is who they claim to be. Many organizations use multi-factor authentication (MFA) as a best practice.

Transmission Security

Transmission security measures protect ePHI as it moves across networks. Typical implementations include encryption, integrity checks, and secure protocols (such as TLS).

Required vs. Addressable Specifications

The Security Rule distinguishes between required and addressable implementation specifications, which often causes confusion. Notably, a proposed January 2025 rulemaking would eliminate this distinction entirely, making all specifications mandatory.

• Required: Mandatory safeguards with no exceptions. Organizations must implement them as written.

• Addressable: Context-dependent safeguards. Organizations must evaluate whether the measure is reasonable and appropriate in their environment.

“Addressable” does not mean “optional.” For each addressable specification, organizations must:

1. Assess whether the safeguard is reasonable and appropriate.

2. If it is, implement it.

3. If it is not, document why, and implement an equivalent alternative that achieves the same level of protection.

HIPAA Risk Analysis and Risk Management

Risk analysis is the foundation of HIPAA Security Rule compliance. A robust risk analysis typically includes:

• Identifying ePHI: Where ePHI is created, received, maintained, or transmitted

• Identifying threats and vulnerabilities: What could realistically compromise ePHI

• Evaluating current safeguards: Technical and non-technical controls already in place

• Determining likelihood and impact: Probability and potential consequences of each threat

• Assigning risk levels: Prioritizing which risks to mitigate first

Risk management follows the analysis: organizations implement security measures that reduce identified risks to a reasonable and appropriate level.

Platforms like Drata help automate continuous control monitoring, risk tracking, and evidence collection across your tech stack, making ongoing risk management more practical and reducing the manual burden on security and compliance teams.

HIPAA Security Policies and Documentation Requirements

The Security Rule requires written policies and procedures that address each standard, along with documentation of key actions, activities, and assessments.

Organizations must:

• Retain required records for six years from their creation or last effective date, whichever is later

• Make documentation available to workforce members responsible for implementation

• Review and update policies periodically, especially after operational or environmental changes

Using a central evidence and documentation hub—such as Drata’s Evidence Library, combined with a Trust Library or Trust Center for customer-facing content—helps teams keep HIPAA-related artifacts organized, versioned, and audit-ready.

Consequences of HIPAA Security Rule Violations

Non-compliance with the Security Rule can trigger regulatory, financial, operational, and reputational damage—IBM reports that healthcare breaches average $7.42 million, the highest of any industry.

Civil Penalties

The Office for Civil Rights (OCR) enforces HIPAA and can impose civil monetary penalties based on the level of culpability—from violations an organization did not know about (and could not have reasonably known) to those resulting from willful neglect.

Criminal Penalties

The Department of Justice may pursue criminal charges for knowing HIPAA violations, which can result in fines, imprisonment, or both.

Reputational and Operational Impacts

Beyond regulatory action, breaches often lead to:

• Mandatory breach notifications and public reporting on the OCR website

• Loss of patient, partner, and customer trust

• Disrupted operations and incident response costs

• Strained business relationships and lost opportunities

How to Achieve HIPAA Security Rule Compliance

HIPAA compliance is an ongoing program, not a one-time project—underscored by OCR's latest initiative auditing 50 entities on Security Rule compliance. A practical approach includes these steps:

1. Conduct a Comprehensive Risk Analysis

Start by identifying all systems that create, receive, maintain, or transmit ePHI and conduct a thorough risk analysis across them.

2. Implement Administrative, Physical, and Technical Safeguards

Use your risk analysis results to prioritize and implement safeguards that close identified gaps, tailoring your approach to the organization’s size, complexity, and technology stack.

3. Develop Policies and Procedures

Create written policies and procedures for all required standards and make them accessible to workforce members responsible for implementation.

4. Train Your Workforce

Implement recurring security awareness and role-based training so employees understand their responsibilities under HIPAA and your internal policies.

5. Monitor Controls and Maintain Continuous Compliance

Establish ongoing monitoring to detect issues early and demonstrate continuous compliance readiness—not just point-in-time audit readiness.

Drata automates m uch of this work by continuously monitoring security controls, centralizing evidence, and mapping controls across frameworks like HIPAA, SOC 2, ISO 27001, and others—so teams can focus on remediation and improvement instead of chasing screenshots and status updates.

If your team also uses SafeBase’s Trust Library, you can sync evidence from Drata’s Evidence Library directly into the Trust Library, then selectively publish it to your Trust Center for faster, more consistent responses to HIPAA-related security questionnaires and due diligence.

Simplify HIPAA Security Compliance with Continuous Monitoring

Manual HIPAA compliance is resource-intensive and prone to gaps. Continuous monitoring turns compliance from a periodic audit scramble into an always-ready state.

With Drata, organizations can:

• Automate control monitoring across cloud infrastructure, applications, and identity providers

• Centralize HIPAA-related policies, procedures, and evidence in a single source of truth

• Reuse mapped evidence across overlapping frameworks (for example, SOC 2 security controls that also support HIPAA safeguards)

• Streamline collaboration with security, IT, and compliance stakeholders

Book a demo to see how Drata helps organizations build, monitor, and demonstrate HIPAA Security Rule compliance on a continuous basis.

FAQs About HIPAA Security