Security Rule Overview

The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) establishes national standards to protect electronic Protected Health Information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards.

Security Rule Objectives

Confidentiality: ePHI is not disclosed to unauthorized persons
Integrity: ePHI is not altered or destroyed inappropriately
Availability: ePHI is accessible when needed by authorized persons

The Three Safeguard Categories

  • Administrative Safeguards: Policies, procedures, and workforce management
  • Physical Safeguards: Facility access and device/media protection
  • Technical Safeguards: Technology-based protections for ePHI

Required vs Addressable Specifications

The Security Rule designates specifications as either "Required" or "Addressable."

Required (R)

Must be implemented as specified. No flexibility.

Addressable (A)

Not optional, but allows flexibility. You must:

  1. Assess whether the specification is reasonable and appropriate
  2. If yes, implement it
  3. If no, document why and implement an equivalent alternative measure, or document why it's not applicable

"Addressable" does not mean optional. It means you must address it—either by implementing the specification, implementing an alternative, or documenting why neither applies.

Administrative Safeguards (§164.308)

Administrative safeguards make up the largest portion of Security Rule requirements—over half of all specifications.

§164.308(a)(1) Security Management Process (R)

Implement policies and procedures to prevent, detect, contain, and correct security violations.

  • Risk Analysis (R): Conduct accurate and thorough assessment of potential risks to ePHI
  • Risk Management (R): Implement measures sufficient to reduce risks to reasonable level
  • Sanction Policy (R): Apply sanctions against workforce members who violate policies
  • Information System Activity Review (R): Regularly review records of system activity

§164.308(a)(2) Assigned Security Responsibility (R)

Identify a Security Official responsible for developing and implementing security policies.

Implementation: Designate a Security Officer by name and document their responsibilities.

§164.308(a)(3) Workforce Security

Ensure all workforce members have appropriate access to ePHI and prevent unauthorized access.

  • Authorization and/or Supervision (A): Implement procedures for workforce authorization/supervision
  • Workforce Clearance Procedure (A): Implement procedures to determine appropriate access
  • Termination Procedures (A): Implement procedures for terminating access when employment ends

§164.308(a)(4) Information Access Management

Implement policies for authorizing access to ePHI.

  • Isolating Healthcare Clearinghouse Functions (R): If applicable
  • Access Authorization (A): Implement policies for granting access
  • Access Establishment and Modification (A): Implement policies for establishing and modifying access

§164.308(a)(5) Security Awareness and Training

Implement security awareness and training program for all workforce members.

  • Security Reminders (A): Periodic security updates
  • Protection from Malicious Software (A): Procedures for guarding against malware
  • Log-in Monitoring (A): Procedures for monitoring log-in attempts
  • Password Management (A): Procedures for creating, changing, and safeguarding passwords

§164.308(a)(6) Security Incident Procedures (R)

Implement policies and procedures to address security incidents.

  • Response and Reporting (R): Identify and respond to suspected or known security incidents; mitigate harmful effects; document incidents and outcomes

§164.308(a)(7) Contingency Plan (R)

Establish policies for responding to emergencies that damage systems containing ePHI.

  • Data Backup Plan (R): Procedures to create and maintain retrievable exact copies of ePHI
  • Disaster Recovery Plan (R): Procedures to restore any loss of data
  • Emergency Mode Operation Plan (R): Procedures to enable continuation of critical processes during emergencies
  • Testing and Revision Procedures (A): Implement procedures for periodic testing and revision of contingency plans
  • Applications and Data Criticality Analysis (A): Assess relative criticality of applications and data

§164.308(a)(8) Evaluation (R)

Perform periodic technical and nontechnical evaluation in response to environmental or operational changes.

§164.308(b)(1) Business Associate Contracts (R)

Obtain satisfactory assurances from business associates that they will appropriately safeguard ePHI.

Physical Safeguards (§164.310)

Physical safeguards protect the physical systems and facilities where ePHI is stored or accessed.

§164.310(a)(1) Facility Access Controls

Implement policies to limit physical access to electronic information systems.

  • Contingency Operations (A): Procedures for facility access during emergencies
  • Facility Security Plan (A): Policies to safeguard facility and equipment
  • Access Control and Validation Procedures (A): Control and validate access based on role
  • Maintenance Records (A): Document repairs and modifications to physical security components

§164.310(b) Workstation Use (R)

Implement policies specifying proper functions, manner of use, and physical attributes of workstations accessing ePHI.

Implementation: Define acceptable use, positioning (screen visibility), and security requirements for workstations.

§164.310(c) Workstation Security (R)

Implement physical safeguards that restrict workstation access to authorized users.

Implementation: Cable locks, secure rooms, privacy screens, screen locks when unattended.

§164.310(d)(1) Device and Media Controls

Implement policies governing receipt and removal of hardware and electronic media.

  • Disposal (R): Policies for final disposition of ePHI and/or hardware
  • Media Re-use (R): Procedures for removal of ePHI before re-use
  • Accountability (A): Maintain record of hardware and media movements
  • Data Backup and Storage (A): Create retrievable exact copy before moving equipment

Technical Safeguards (§164.312)

Technical safeguards are the technology and related policies that protect ePHI and control access.

§164.312(a)(1) Access Control

Implement technical policies to allow only authorized persons to access ePHI.

  • Unique User Identification (R): Assign unique name/number to identify and track user identity
  • Emergency Access Procedure (R): Procedures for obtaining necessary ePHI during emergencies
  • Automatic Logoff (A): Implement procedures that terminate sessions after inactivity
  • Encryption and Decryption (A): Implement mechanism to encrypt and decrypt ePHI

§164.312(b) Audit Controls (R)

Implement hardware, software, and/or procedural mechanisms to record and examine access and activity.

Implementation: System logs, access logs, audit trails covering authentication, ePHI access, and administrative actions.

§164.312(c)(1) Integrity

Implement policies to protect ePHI from improper alteration or destruction.

  • Mechanism to Authenticate ePHI (A): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed

Implementation: Checksums, digital signatures, error-detecting codes.

§164.312(d) Person or Entity Authentication (R)

Implement procedures to verify that a person or entity seeking access is who they claim to be.

Implementation: Passwords, tokens, smart cards, biometrics, multi-factor authentication.

§164.312(e)(1) Transmission Security

Implement technical security measures to guard against unauthorized access to ePHI during transmission.

  • Integrity Controls (A): Ensure ePHI is not improperly modified during transmission
  • Encryption (A): Implement mechanism to encrypt ePHI when appropriate

Implementation: TLS/SSL for data in transit, VPNs for remote access, secure email solutions.

Policies & Procedures (§164.316)

§164.316(a) Policies and Procedures (R)

Implement reasonable and appropriate policies and procedures to comply with the Security Rule.

§164.316(b)(1) Documentation (R)

Maintain written policies and procedures and written records of required actions, activities, or assessments.

  • Time Limit (R): Retain documentation for 6 years from creation date or last effective date
  • Availability (R): Make documentation available to persons responsible for implementing procedures
  • Updates (R): Review and update documentation periodically in response to changes

Documentation Requirements Summary

Required Documentation

  • Risk Analysis documentation
  • Risk Management plan
  • Sanction policy
  • Information system activity review records
  • Security Official designation
  • Security awareness training records
  • Security incident procedures and records
  • Data backup plan
  • Disaster recovery plan
  • Emergency mode operation plan
  • Evaluation results
  • Business Associate Agreements
  • Workstation use policies
  • Device and media disposal/reuse policies
  • Access control policies
  • Audit logs and review records

If it's not documented, it didn't happen. The Security Rule explicitly requires written documentation retained for 6 years. Invest in documentation—it's your primary evidence of compliance.

HIPAA Security Rule Safeguards