The HIPAA Security Rule is the part of the US Health Insurance Portability and Accountability Act that sets national standards for protecting electronic protected health information (ePHI). Where the HIPAA Privacy Rule governs how protected health information (PHI) may be used and disclosed in any format, the Security Rule focuses specifically on the confidentiality, integrity, and availability of health information held or transmitted in electronic form.
This article is general guidance only and is not legal advice.
Who Must Comply With the HIPAA Security Rule
The rule applies to covered entities and their business associates. Covered entities are health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically. Business associates are vendors and partners that create, receive, maintain, or transmit ePHI on a covered entity’s behalf, such as cloud hosts, billing companies, and IT service providers.
Because responsibility flows down the chain, a Business Associate Agreement (BAA) is required between covered entities and their business associates, and between business associates and their subcontractors. The BAA contractually binds each party to safeguard ePHI consistent with the rule.
The Three Categories of Safeguards
The HIPAA Security Rule organizes its requirements into three categories of safeguards. Each combines standards that must be met with implementation specifications that describe how to meet them. Some specifications are “required,” while others are “addressable,” meaning the organization must assess whether the specification is reasonable and appropriate for its environment and document its decision.
| Safeguard category | Focus | Representative measures |
|---|---|---|
| Administrative | Policies, people, and processes governing ePHI | Risk analysis and risk management, workforce training, sanction policies, contingency planning, security officer designation |
| Physical | Protecting facilities, devices, and media | Facility access controls, workstation security, device and media disposal and reuse controls |
| Technical | Technology controls over access and transmission | Access controls, audit logging, integrity controls, authentication, and transmission security such as encryption |
Addressable does not mean optional. If a control is not reasonable for your setting, you must document why and, where appropriate, adopt an equivalent alternative measure.
Risk Analysis: The Foundation of the HIPAA Security Rule
A mandatory, accurate, and thorough risk analysis sits at the heart of compliance. Organizations must identify where ePHI lives, how it flows, and the reasonably anticipated threats and vulnerabilities that could compromise it. The findings then drive a risk management program that reduces risks to a reasonable and appropriate level.
Risk analysis is not a one-time exercise. It should be repeated when systems change, after security incidents, and on a regular cadence. Many enforcement actions by the HHS Office for Civil Rights (OCR) trace back to a missing, outdated, or superficial risk analysis, so treat it as an ongoing discipline rather than a checkbox.
Common risk analysis inputs
- Inventory of systems, applications, and devices that store or transmit ePHI
- Data flow mapping across on-premises and cloud environments
- Threat and vulnerability identification, including insider and third-party risk
- Assessment of current controls and residual risk
- A prioritized remediation and risk management plan
How the Security Rule Fits With Other HIPAA Rules
The Security Rule works alongside the Privacy Rule and the Breach Notification Rule. The Privacy Rule applies the minimum-necessary standard to uses and disclosures of PHI. The Security Rule protects the electronic subset of that information. When protections fail, the Breach Notification Rule requires notifying affected individuals and HHS OCR, generally without unreasonable delay and no later than 60 days after discovery, with media notice required for larger breaches.
| HIPAA rule | Primary purpose |
|---|---|
| Privacy Rule | Governs permitted uses and disclosures of PHI and the minimum-necessary standard |
| Security Rule | Requires administrative, physical, and technical safeguards for ePHI |
| Breach Notification Rule | Requires notification to individuals and HHS OCR after a breach of unsecured PHI |
Practical Steps Toward Compliance
A defensible program typically starts with governance and works outward to technical controls. The following sequence helps organizations demonstrate good-faith effort and maintain evidence for regulators.
- Appoint a security official responsible for developing and enforcing policies
- Conduct and document a thorough risk analysis, then act on the findings
- Implement access controls, unique user identification, and audit logging
- Encrypt ePHI where reasonable and appropriate, in transit and at rest
- Train the workforce and enforce a sanction policy for violations
- Maintain contingency and data backup plans, and test them
- Execute BAAs with every business associate and subcontractor
- Retain policies, procedures, and evidence for the required period
For the authoritative source, review the guidance published by the enforcing agency at the U.S. Department of Health and Human Services HIPAA portal.
Frequently Asked Questions
What is the difference between the HIPAA Privacy Rule and the Security Rule?
The Privacy Rule covers PHI in any form and controls how it may be used and disclosed. The Security Rule applies specifically to electronic PHI and requires administrative, physical, and technical safeguards to protect it.
Is a risk analysis really mandatory?
Yes. The HIPAA Security Rule requires a documented, accurate, and thorough risk analysis. It underpins nearly every other requirement and is one of the most frequently cited gaps in enforcement actions.
What does “addressable” mean in the Security Rule?
Addressable specifications are not optional. You must evaluate whether a given control is reasonable and appropriate for your environment, then implement it, adopt an equivalent alternative, or document a justified decision not to.
Do business associates have to comply directly?
Yes. Business associates must comply with the Security Rule and can be held directly liable by HHS OCR. A Business Associate Agreement is required to formalize each party’s obligations.

Related Guides
- Complete HIPAA Compliance Guide
- Understanding the HIPAA Privacy Rule
- How to Run a HIPAA Risk Assessment
Ready to operationalize these requirements? Our editable HIPAA (US) toolkit gives you ready-to-use policies, risk analysis templates, and BAA frameworks aligned to the Security Rule so your team can move faster. Explore the HIPAA Toolkit and start building a defensible compliance program today.

