HIPAA Security Rule Explained
The HIPAA Security Rule establishes the standards for protecting electronic Protected Health Information (ePHI). For technology companies handling health data, understanding and implementing the Security Rule requirements is essential for compliance.
This guide breaks down the Security Rule's administrative, physical, and technical safeguards, explaining what each requirement means in practice and how to implement them effectively.
Key Takeaways
| Aspect | Details |
|---|---|
| Purpose | Protect ePHI confidentiality, integrity, and availability |
| Applies to | All ePHI you create, receive, maintain, or transmit |
| Structure | Administrative, Physical, and Technical safeguards |
| Flexibility | Scalable based on organization size and complexity |
| Foundation | Risk assessment drives implementation decisions |
Quick Answer: The Security Rule requires you to implement safeguards that protect ePHI based on a risk assessment. It's organized into administrative (policies and procedures), physical (facility and device security), and technical (access controls and encryption) safeguards, with each safeguard being either "required" or "addressable."
Understanding the Security Rule Structure
The Security Rule organizes requirements into three categories of safeguards, plus organizational requirements and documentation:
Security Rule
├── Administrative Safeguards (§164.308)
├── Physical Safeguards (§164.310)
├── Technical Safeguards (§164.312)
├── Organizational Requirements (§164.314)
└── Policies and Procedures / Documentation (§164.316)Required vs Addressable
Each safeguard specification is either:
- Required (R): Must be implemented as specified
- Addressable (A): Must assess and implement if reasonable and appropriate, or document why not and implement an equivalent alternative
"Addressable" does not mean "optional." You must document your decision and rationale for each addressable specification.
Administrative Safeguards
Administrative safeguards are policies, procedures, and actions to manage security. They represent the foundation of your security program.
Security Management Process (Required)
§164.308(a)(1) - Implement policies and procedures to prevent, detect, contain, and correct security violations.
| Specification | Type | What It Means |
|---|---|---|
| Risk Analysis | R | Conduct accurate assessment of risks to ePHI |
| Risk Management | R | Implement measures to reduce risks to reasonable level |
| Sanction Policy | R | Apply sanctions against workforce members who violate policies |
| Information System Activity Review | R | Regularly review audit logs and access reports |
Implementation guidance:
Risk Analysis: Conduct a comprehensive risk assessment identifying:
- Where ePHI is located
- Threats and vulnerabilities
- Current safeguards
- Likelihood and impact of threats
- Risk levels
Risk Management: Document and implement a plan to address identified risks, including:
- Remediation actions
- Timeline and ownership
- Residual risk acceptance (if applicable)
Sanction Policy: Define consequences for security violations, from warnings to termination.
Activity Review: Review system logs, access reports, and security incidents regularly.
Assigned Security Responsibility (Required)
§164.308(a)(2) - Identify a security official responsible for developing and implementing security policies.
Designate a specific individual (by name or title) responsible for HIPAA security compliance. This person:
- Oversees security program development
- Ensures implementation of safeguards
- Manages security incidents
- Reports to leadership on compliance status
Workforce Security
§164.308(a)(3) - Implement policies to ensure workforce members have appropriate access.
| Specification | Type | What It Means |
|---|---|---|
| Authorization and/or Supervision | A | Procedures for workforce access authorization |
| Workforce Clearance Procedure | A | Procedures to verify access is appropriate |
| Termination Procedures | A | Procedures to terminate access when employment ends |
Implementation guidance:
- Define access levels based on job roles
- Verify access appropriateness before granting
- Remove access promptly upon termination or role change
- Document access authorization decisions
Information Access Management
§164.308(a)(4) - Implement policies authorizing access to ePHI.
| Specification | Type | What It Means |
|---|---|---|
| Isolating Healthcare Clearinghouse Functions | R | For clearinghouses: separate clearinghouse functions |
| Access Authorization | A | Policies for granting access to ePHI |
| Access Establishment and Modification | A | Procedures to establish and modify access |
Implementation guidance:
- Document roles requiring ePHI access
- Define access provisioning procedures
- Implement access request and approval workflow
- Regularly review and adjust access levels
Security Awareness and Training
§164.308(a)(5) - Implement security awareness and training program.
| Specification | Type | What It Means |
|---|---|---|
| Security Reminders | A | Periodic security awareness updates |
| Protection from Malicious Software | A | Procedures for protection against malware |
| Log-in Monitoring | A | Procedures to monitor login attempts |
| Password Management | A | Procedures for creating and managing passwords |
Implementation guidance:
- Conduct initial training for all workforce members
- Provide annual refresher training
- Send periodic security reminders
- Train on specific threats (phishing, social engineering)
- Document all training completion
Security Incident Procedures (Required)
§164.308(a)(6) - Implement policies to address security incidents.
| Specification | Type | What It Means |
|---|---|---|
| Response and Reporting | R | Identify, respond to, mitigate, and document incidents |
Implementation guidance:
- Define what constitutes a security incident
- Establish incident response procedures
- Define escalation and notification requirements
- Document all incidents and responses
- Conduct post-incident reviews
Contingency Plan
§164.308(a)(7) - Establish policies for responding to emergencies affecting ePHI.
| Specification | Type | What It Means |
|---|---|---|
| Data Backup Plan | R | Procedures to create and maintain retrievable copies |
| Disaster Recovery Plan | R | Procedures to restore lost data |
| Emergency Mode Operation Plan | R | Procedures for critical operations during emergencies |
| Testing and Revision Procedures | A | Periodic testing of contingency plans |
| Applications and Data Criticality Analysis | A | Assess relative criticality of systems |
Implementation guidance:
- Implement automated backup procedures
- Test backup restoration regularly
- Document disaster recovery procedures
- Define critical systems and recovery priorities
- Test contingency plans at least annually
Evaluation (Required)
§164.308(a)(8) - Perform periodic technical and non-technical evaluations.
Conduct regular assessments of your security program:
- In response to environmental or operational changes
- Periodically (at least annually recommended)
- Document findings and remediation actions
Business Associate Contracts
§164.308(b) - Obtain satisfactory assurances from business associates.
| Specification | Type | What It Means |
|---|---|---|
| Written Contract or Other Arrangement | R | Ensure BAAs are in place with all business associates |
Every vendor or subcontractor who accesses ePHI must sign a Business Associate Agreement. See our guide on Business Associate Agreements.
Physical Safeguards
Physical safeguards protect the physical systems and facilities where ePHI is accessed, stored, or transmitted.
Facility Access Controls
§164.310(a) - Implement policies to limit physical access to facilities.
| Specification | Type | What It Means |
|---|---|---|
| Contingency Operations | A | Procedures for facility access during emergencies |
| Facility Security Plan | A | Policies to safeguard facility and equipment |
| Access Control and Validation Procedures | A | Procedures to control and validate facility access |
| Maintenance Records | A | Document repairs and modifications to physical security |
Implementation guidance for SaaS companies:
- Most ePHI is in cloud infrastructure (AWS, GCP, Azure)
- Cloud providers handle physical security (covered by their BAAs)
- Focus on your office locations that access ePHI:
- Secure access to office space
- Visitor policies
- Clean desk policies
Workstation Use (Required)
§164.310(b) - Implement policies specifying proper workstation use.
Define:
- What functions can be performed on workstations accessing ePHI
- How workstations should be positioned for privacy
- Environment requirements (private areas, locked rooms)
- Acceptable use policies
Workstation Security (Required)
§164.310(c) - Implement physical safeguards for workstations accessing ePHI.
Implement:
- Screen locks and automatic timeouts
- Cable locks for laptops (if applicable)
- Private screen filters
- Secure storage when not in use
Device and Media Controls
§164.310(d) - Implement policies for receipt and removal of hardware and media containing ePHI.
| Specification | Type | What It Means |
|---|---|---|
| Disposal | R | Policies for secure disposal of ePHI and hardware |
| Media Re-use | R | Procedures for removing ePHI before re-using media |
| Accountability | A | Maintain record of hardware and media movements |
| Data Backup and Storage | A | Create exact copy before moving equipment |
Implementation guidance:
- Implement secure disposal procedures (wipe or destroy)
- Document disposal of devices
- Track devices containing ePHI
- Use encryption to simplify disposal (encrypted devices can be disposed without wiping)
Technical Safeguards
Technical safeguards are the technology and related policies protecting ePHI.
Access Control
§164.312(a) - Implement technical policies to allow only authorized persons to access ePHI.
| Specification | Type | What It Means |
|---|---|---|
| Unique User Identification | R | Assign unique identifier to each user |
| Emergency Access Procedure | R | Procedures for obtaining ePHI during emergencies |
| Automatic Logoff | A | Procedures to terminate sessions after inactivity |
| Encryption and Decryption | A | Implement mechanisms to encrypt and decrypt ePHI |
Implementation guidance:
- No shared accounts; each user has unique credentials
- Implement MFA for all ePHI access
- Configure automatic session timeouts
- Encrypt ePHI at rest and in transit
Audit Controls (Required)
§164.312(b) - Implement mechanisms to record and examine activity in systems containing ePHI.
Implement:
- Audit logging on all systems containing ePHI
- Log user access, modifications, deletions
- Retain logs for appropriate period (6 years recommended)
- Regularly review logs for suspicious activity
- Centralized log management and monitoring
Integrity
§164.312(c) - Implement policies to protect ePHI from improper alteration or destruction.
| Specification | Type | What It Means |
|---|---|---|
| Mechanism to Authenticate Electronic PHI | A | Electronic mechanisms to verify ePHI hasn't been altered |
Implementation guidance:
- Implement integrity controls (checksums, digital signatures)
- Database integrity constraints
- Version control for critical data
- Backup verification procedures
Person or Entity Authentication (Required)
§164.312(d) - Implement procedures to verify that persons or entities seeking access are who they claim to be.
Implement:
- Strong authentication mechanisms
- Multi-factor authentication
- Authentication for system-to-system communication
- Certificate-based authentication where appropriate
Transmission Security
§164.312(e) - Implement technical measures to guard against unauthorized access during transmission.
| Specification | Type | What It Means |
|---|---|---|
| Integrity Controls | A | Security measures ensuring ePHI isn't modified during transmission |
| Encryption | A | Mechanism to encrypt ePHI during transmission |
Implementation guidance:
- TLS 1.2+ for all data in transit
- HTTPS for all web traffic
- Encrypted email or secure messaging for PHI
- VPN for remote access to internal systems
- API encryption and authentication
Documentation Requirements
§164.316 - Implement reasonable and appropriate policies and procedures.
Required Documentation
| Requirement | Retention Period |
|---|---|
| Policies and procedures | 6 years from creation or last effective date |
| Required actions, activities, and assessments | 6 years from creation or last effective date |
| Risk assessments and risk management plans | 6 years |
| Training documentation | 6 years |
| Incident documentation | 6 years |
Documentation Best Practices
- Version control: Track changes to policies
- Review cycle: Annual review and update
- Accessibility: Make policies available to workforce
- Acknowledgment: Document workforce acknowledgment of policies
Security Rule Checklist
Use this checklist to assess your Security Rule compliance:
Administrative Safeguards
- Security official designated
- Risk analysis conducted
- Risk management plan documented
- Sanction policy in place
- Security awareness training implemented
- Incident response procedures established
- Contingency plan created and tested
- BAAs in place with all business associates
- Periodic evaluations conducted
Physical Safeguards
- Facility access controls implemented
- Workstation use policies defined
- Workstation security implemented
- Device and media disposal procedures established
Technical Safeguards
- Unique user identification implemented
- Access controls based on role
- Automatic session timeout configured
- Encryption at rest implemented
- Encryption in transit implemented
- Audit logging enabled and monitored
- Integrity controls in place
- Multi-factor authentication enabled
Documentation
- Policies and procedures documented
- Documentation retained for 6 years
- Regular policy reviews scheduled
Common Security Rule Mistakes
1. Treating "Addressable" as Optional
Every addressable specification must be:
- Assessed for your environment
- Implemented if reasonable and appropriate
- Documented with rationale if not implemented
- Replaced with equivalent alternative if not implemented
2. One-Time Risk Assessment
Risk assessments should be:
- Conducted initially and when changes occur
- Updated at least annually
- Documented thoroughly
- Used to drive security decisions
3. Inadequate Training
Training should be:
- Provided to all workforce members (not just technical staff)
- Role-appropriate
- Documented
- Refreshed annually
4. Missing BAAs
Every vendor accessing ePHI needs a BAA, including:
- Cloud providers
- Email providers
- Analytics tools
- Support tools
- Subcontractors
How Bastion Helps
Bastion helps technology companies implement Security Rule requirements:
- Gap assessment: Evaluate current state against all safeguards
- Risk assessment: Conduct required risk analysis with proper documentation
- Policy development: Create policies addressing all requirements
- Technical guidance: Implement technical safeguards effectively
- Training: Develop and deliver workforce training
- Ongoing compliance: Maintain documentation and periodic evaluations
Ready to discuss your Security Rule compliance? Talk to our team
Sources
- HIPAA Security Rule - Official HHS Security Rule guidance
- Security Rule Summary - HHS Security Rule summary
- NIST HIPAA Security Rule Toolkit - NIST implementation guidance