What is the HIPAA Security Rule?

Modified on Tue, 19 Sep, 2023 at 11:55 AM

The HIPAA Security Rule is a series of HIPAA regulations that require covered entities and business associates to protect the confidentiality, integrity, and availability of protected health information that is created, maintained, received, or transmitted in electronic form. This PHI is referred to as electronic protected health information, or ePHI.  The terms confidentiality, integrity, and availability have the following definitions:

  1. Confidentiality ensures that no unauthorized access or disclosure is made to ePHI;

  2. Integrity ensures that no unauthorized modifications, additions, or deletions are made to ePHI; and

  3. Availability ensures that ePHI is accessible when needed, and that it is in usable form.


HIPAA Security Rule General Requirements

In addition to requiring protection of the confidentiality, integrity, and availability of ePHI, the Security Rule requires covered entities and business associates to:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI.

  3. Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required under the HIPAA Privacy Rule.

  4. Train the workforce on security rule concepts, by providing periodic security updates and reminders; procedures for guarding against, detecting, and reporting malicious software; and procedures for creating, changing, and safeguarding passwords.


HIPAA Security Rule Specific Requirements - Safeguards

The Security Rule includes administrative, physical, and technical safeguards. These safeguards set forth standards to protect the confidentiality, integrity, and availability of ePHI.   


Administrative safeguards: The HIPAA Security Rule defines administrative safeguards as “Administrative actions, and policies and procedures, to manage the selection, development,

implementation, and maintenance of security measures to protect electronic protected health information.” Administrative safeguards also include such measures “to manage the conduct of the covered entity’s [or business associate’s] workforce in relation to the protection of that information.”

Administrative safeguard measures include the security management process standard (which, among other things, requires the performance of a security risk assessment, and risk management).


Other standards include the workforce security standard; the information access management standard; the security official standard (which requires designation of a securiy official); the security awareness and training standard; the security incident procedures standard (which requires CEs and BAs to develop policies and procedures for detecting and responding to security incidents); the contigency plan standard (requiring organizations to develop contingency plans, including data backup plans, disaster recovery plans, and emergency mode operation plans); and the evaluation standard (requiring organizations to perform a periodic technical and nontechnical evaluation, in response to environmental or operational changes affecting the security of ePHI).

Another administrative safeguard measure is the "business associate contract" standard. This standard requires covered entities and business associates to enter into business associate agreements, and business associates and business associate subcontractors to enter into business associate agreements.

Physical safeguards: The Security Rule defines physical safeguards as “Physical measures,

policies, and procedures to protect a covered entity’s [or business associate’s] electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Physical safeguards protect the physical security of offices, home offices, remote worksites, and other locations where ePHI may be stored or maintained.  Physical safeguard standards include facility access and control measures; workstation use and security measures; and device and media controls.


Technical safeguards: The Security Rule defines technical safeguards as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Technical safeguard standards include access and audit controls; integrity controls; person or entity authentication controls; and transmission security controls.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article