HealthcareUnited States

HIPAA Security Rule

The HIPAA Security Rule establishes national standards for protecting electronic Protected Health Information (ePHI) in the United States. Published by the U.S. Department of Health and Human Services, it requires covered entities and business associates to implement administrative, physical, and technical safeguards. The rule applies to health plans, healthcare clearinghouses, healthcare providers that transmit health information electronically, and their business associates.

Overview

What is the HIPAA Security Rule?

The HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) is a US federal regulation that sets minimum security standards for protecting electronic Protected Health Information (ePHI). It is one component of the Health Insurance Portability and Accountability Act of 1996, alongside the Privacy Rule and Breach Notification Rule. The Security Rule specifically addresses the confidentiality, integrity, and availability of ePHI and requires covered entities to conduct risk analyses and implement appropriate safeguards.

What are the three types of HIPAA safeguards?

The Security Rule organises its requirements into three categories of safeguards:

Administrative Safeguards (Section 164.308): Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. Includes risk analysis, workforce security, information access management, security awareness training, contingency planning, and evaluation. These represent the largest section of the rule.
Physical Safeguards (Section 164.310): Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards. Covers facility access controls, workstation use and security, and device and media controls.
Technical Safeguards (Section 164.312): Technology and related policies that protect ePHI and control access to it. Covers access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

What is the difference between required and addressable HIPAA specifications?

The Security Rule designates each implementation specification as either 'Required' or 'Addressable.' Required specifications must be implemented as stated. Addressable specifications require the organisation to assess whether the specification is reasonable and appropriate; if so, implement it; if not, document why and implement an equivalent alternative. Addressable does not mean optional. Organisations must document their rationale regardless of the decision.

What are the HIPAA breach notification requirements?

The Breach Notification Rule (Subpart D) requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals require notification to the HHS Secretary and prominent media outlets simultaneously. Breaches affecting fewer than 500 individuals must be reported to HHS annually. Business associates must notify the covered entity within 60 days (or as specified in the Business Associate Agreement).

Key Controls

ID	Control	Description
164.308(a)(1)	Security Management Process	Implement policies and procedures to prevent, detect, contain, and correct security violations. Includes risk analysis and risk management.
164.308(a)(3)	Workforce Security	Implement policies and procedures to ensure all members of the workforce have appropriate access to ePHI and prevent unauthorised access.
164.308(a)(5)	Security Awareness & Training	Implement a security awareness and training program for all members of the workforce including management.
164.308(a)(6)	Security Incident Procedures	Implement policies and procedures to address security incidents including response and reporting.
164.308(a)(7)	Contingency Plan	Establish policies and procedures for responding to emergencies that damage systems containing ePHI.
164.310(a)(1)	Facility Access Controls	Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed.
164.312(a)(1)	Access Control	Implement technical policies and procedures that allow only authorised persons to access ePHI.
164.312(e)(1)	Transmission Security	Implement technical security measures to guard against unauthorised access to ePHI transmitted over electronic networks.

Domains

Administrative Safeguards

Organizational Requirements

Physical Safeguards

Technical Safeguards

Policies, Procedures and Documentation

Compare HIPAA Security Rule

HIPAA Security Rule vs GDPRView comparison →HIPAA Security Rule vs ISO 27001:2022View comparison →

Implementation Guides

HIPAA Security & PrivacyStep-by-step guide →

Compare HIPAA Security Rule

HIPAA Security Rule vs ISO 27001:2022View comparison →HIPAA Security Rule vs SOC 2View comparison →HIPAA Security Rule vs NIST CSF 2.0View comparison →HIPAA Security Rule vs GDPRView comparison →HIPAA Security Rule vs PCI DSS 4.0View comparison →HIPAA Security Rule vs NIST 800-53View comparison →

CMS Medicare Administrative Contractor Audit Requirements Integration with HIPAA Security Rule 164.308 Administrative Safeguards for Healthcare Payment Processing ComplianceHealthcare organizations must align CMS Medicare audit requirements with HIPAA Security Rule administrative safeguards to maintain payment processing compliance. This integration requires mapping MAC audit criteria to specific security controls while maintaining continuous monitoring capabilities.

HIPAA Risk Assessment Documentation Requirements Integration with Joint Commission Patient Safety Standards: Complete Healthcare Quality Compliance FrameworkHealthcare organizations must align HIPAA Security Rule risk assessment documentation with Joint Commission patient safety requirements to ensure comprehensive compliance coverage. This integration creates a unified approach to patient data protection while meeting accreditation standards for quality care delivery.

Medicare Advantage Quality Measures Integration with HIPAA Security Rule Technical Safeguards: Complete Healthcare Compliance Alignment FrameworkMedicare Advantage organizations must align CMS quality reporting requirements with HIPAA technical safeguards to ensure data integrity while protecting patient information. This integration framework addresses the intersection of quality measurement data security and regulatory compliance for managed care organizations.

HIPAA Security Rule Administrative Safeguards Integration with Joint Commission Patient Safety Standards: Complete Healthcare Information Security FrameworkHIPAA Security Rule administrative safeguards and Joint Commission patient safety standards share common objectives around healthcare information protection and patient safety outcomes. This integration creates a comprehensive healthcare compliance framework that addresses both regulatory requirements while improving clinical care delivery through systematic information security controls.

$297 USD

HIPAA Security Rule by Industry

HIPAA Security Rule for Healthcare→HIPAA Security Rule for Financial Services→HIPAA Security Rule for Technology→HIPAA Security Rule for Government→HIPAA Security Rule for Manufacturing→HIPAA Security Rule for Energy→HIPAA Security Rule for Retail→HIPAA Security Rule for Education→

HIPAA Security Rule by Role

HIPAA Security Rule for CISOs→HIPAA Security Rule for Compliance Officers→HIPAA Security Rule for Risk Managers→HIPAA Security Rule for IT Directors→HIPAA Security Rule for DPOs→HIPAA Security Rule for Auditors→

Frequently Asked Questions

What is HIPAA Security Rule?

Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI).

How many controls does HIPAA Security Rule have?

HIPAA Security Rule contains 37 controls organized across 5 domains.

Where does HIPAA Security Rule apply?

HIPAA Security Rule is applicable in United States. Organizations operating in or serving customers in this jurisdiction should evaluate its requirements.

What frameworks does HIPAA Security Rule map to?

HIPAA Security Rule has control-to-control mappings with 466 other compliance frameworks in our database. Use our compliance platform to explore these mappings interactively.

How do I get started with HIPAA Security Rule compliance?

Start by understanding the framework's key controls and domains. Our compliance platform provides AI-powered gap analysis and mapping tools to help you assess your current posture and build a remediation plan.

How ready are you for HIPAA Security Rule?

Answer 25 questions and get a professional readiness report with gap analysis, maturity scores, and prioritised action items. Results in 5 minutes.

Explore Platform Free

HealthcareUnited States

HIPAA Security Rule

Overview

What is the HIPAA Security Rule?

What are the three types of HIPAA safeguards?

The Security Rule organises its requirements into three categories of safeguards:

Administrative Safeguards (Section 164.308): Policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. Includes risk analysis, workforce security, information access management, security awareness training, contingency planning, and evaluation. These represent the largest section of the rule.
Physical Safeguards (Section 164.310): Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards. Covers facility access controls, workstation use and security, and device and media controls.
Technical Safeguards (Section 164.312): Technology and related policies that protect ePHI and control access to it. Covers access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

What is the difference between required and addressable HIPAA specifications?

What are the HIPAA breach notification requirements?

Key Controls

ID	Control	Description
164.308(a)(1)	Security Management Process	Implement policies and procedures to prevent, detect, contain, and correct security violations. Includes risk analysis and risk management.
164.308(a)(3)	Workforce Security	Implement policies and procedures to ensure all members of the workforce have appropriate access to ePHI and prevent unauthorised access.
164.308(a)(5)	Security Awareness & Training	Implement a security awareness and training program for all members of the workforce including management.
164.308(a)(6)	Security Incident Procedures	Implement policies and procedures to address security incidents including response and reporting.
164.308(a)(7)	Contingency Plan	Establish policies and procedures for responding to emergencies that damage systems containing ePHI.
164.310(a)(1)	Facility Access Controls	Implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed.
164.312(a)(1)	Access Control	Implement technical policies and procedures that allow only authorised persons to access ePHI.
164.312(e)(1)	Transmission Security	Implement technical security measures to guard against unauthorised access to ePHI transmitted over electronic networks.

Domains

Administrative Safeguards

Organizational Requirements

Physical Safeguards

Technical Safeguards

Policies, Procedures and Documentation

Compare HIPAA Security Rule

HIPAA Security Rule vs GDPRView comparison →HIPAA Security Rule vs ISO 27001:2022View comparison →

Implementation Guides

HIPAA Security & PrivacyStep-by-step guide →

Compare HIPAA Security Rule

$297 USD

HIPAA Security Rule by Industry

HIPAA Security Rule by Role

Frequently Asked Questions

What is HIPAA Security Rule?

Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI).

How many controls does HIPAA Security Rule have?

HIPAA Security Rule contains 37 controls organized across 5 domains.

Where does HIPAA Security Rule apply?

HIPAA Security Rule is applicable in United States. Organizations operating in or serving customers in this jurisdiction should evaluate its requirements.

What frameworks does HIPAA Security Rule map to?

HIPAA Security Rule has control-to-control mappings with 466 other compliance frameworks in our database. Use our compliance platform to explore these mappings interactively.

How do I get started with HIPAA Security Rule compliance?

How ready are you for HIPAA Security Rule?

Answer 25 questions and get a professional readiness report with gap analysis, maturity scores, and prioritised action items. Results in 5 minutes.

Explore Platform Free

HIPAA Security Rule

Overview

What is the HIPAA Security Rule?

What are the three types of HIPAA safeguards?

What is the difference between required and addressable HIPAA specifications?

What are the HIPAA breach notification requirements?

Key Controls

Domains

Compare HIPAA Security Rule

Implementation Guides

Compare HIPAA Security Rule

Related Articles

Related Courses

HIPAA Security Rule by Industry

HIPAA Security Rule by Role

Frequently Asked Questions

How ready are you for HIPAA Security Rule?

HIPAA Security Rule

Overview

What is the HIPAA Security Rule?

What are the three types of HIPAA safeguards?

What is the difference between required and addressable HIPAA specifications?

What are the HIPAA breach notification requirements?

Key Controls

Domains

Compare HIPAA Security Rule

Implementation Guides

Compare HIPAA Security Rule

Related Articles

Related Courses

HIPAA Security Rule by Industry

HIPAA Security Rule by Role

Frequently Asked Questions

How ready are you for HIPAA Security Rule?