HIPAA Security Rule
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting electronic protected health information (ePHI) held or transmitted by covered entities and their business associates.
Continue your mission
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting electronic protected health information (ePHI) held or transmitted by covered entities and their business associates.
# HIPAA Security Rule
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting electronic protected health information (ePHI) held or transmitted by covered entities and their business associates. The rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996. The Security Rule was finalized in 2003 and became enforceable in 2005. The HITECH Act (2009) extended HIPAA requirements to business associates (vendors that handle ePHI on behalf of covered entities) and significantly increased enforcement penalties. The HHS Office for Civil Rights (OCR) enforces HIPAA through complaint investigations, compliance audits, and resolution agreements that have reached tens of millions of dollars in individual settlements.
Covered entities include health plans, healthcare clearinghouses, and healthcare providers that transmit any health information in electronic form. Business associates include any entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity: cloud hosting providers, EHR vendors, billing companies, IT service providers, shredding companies that handle PHI-containing media, and any other vendor in the healthcare supply chain that touches ePHI.
The Security Rule is not prescriptive. It does not specify which encryption algorithm to use, which SIEM to deploy, or which access control model to implement. It specifies required and addressable safeguard standards that the organization must implement in a manner appropriate to its size, complexity, and risk environment. This flexibility is intentional: a large hospital system and a two-physician clinic both must comply with HIPAA, but their implementations will differ dramatically in scale and sophistication.
The Security Rule organizes safeguards into three categories:
Administrative safeguards (§164.308). Organizational policies and procedures that manage the selection, development, implementation, and maintenance of security measures:
Security management process: risk analysis, risk management, sanction policy, and information system activity review. The risk analysis (often called "risk assessment") is the foundation of HIPAA compliance. OCR has cited the absence of a comprehensive risk analysis as a finding in more enforcement actions than any other single standard.
Workforce security: authorization and supervision procedures, workforce clearance, and termination procedures. Covered entities must ensure that workforce members who access ePHI are authorized and that access is terminated promptly when the worker's role changes or employment ends.
Information access management: access authorization, access establishment and modification policies. Access to ePHI must be limited to the minimum necessary for the workforce member's job function.
Security awareness and training: security reminders, protection from malware, login monitoring, and password management. Training must be provided to all workforce members, not just clinical staff.
Security incident procedures: identification, response, and reporting of security incidents.
Contingency plan: data backup, disaster recovery, emergency mode operations, testing, and applications and data criticality analysis. The contingency plan must address ePHI availability during and after emergencies.
Evaluation: periodic technical and non-technical evaluation of the security program.
Business associate contracts: covered entities must have written agreements (Business Associate Agreements, BAAs) with every business associate that creates, receives, maintains, or transmits ePHI.
Physical safeguards (§164.310). Controls that protect the physical facilities and equipment that store and process ePHI:
Facility access controls: contingency operations access, facility security plan, access control and validation, and maintenance records.
Workstation use: policies specifying the proper functions, physical attributes, and environment for workstations that access ePHI.
Workstation security: physical safeguards that restrict access to workstations that access ePHI.
Device and media controls: disposal, media reuse, accountability, and data backup and storage for electronic media containing ePHI.
Technical safeguards (§164.312). Technology-based controls that protect ePHI:
Access control: unique user identification, emergency access procedures, automatic logoff, and encryption and decryption. Every user who accesses ePHI must have a unique identifier (no shared accounts). Automatic logoff terminates inactive sessions.
Audit controls: mechanisms that record and examine access and activity in systems containing ePHI. Audit logs must be maintained and reviewed.
Integrity controls: mechanisms to protect ePHI from improper alteration or destruction, including electronic mechanisms to corroborate that ePHI has not been altered.
Person or entity authentication: procedures to verify that the person or entity seeking access to ePHI is who they claim to be.
Transmission security: technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic network. This is the encryption-in-transit requirement.
The Security Rule uses two implementation specification types:
Required (R). The safeguard must be implemented. There is no alternative. Examples: unique user identification (R), contingency plan testing (R), audit controls (R).
Addressable (A). The covered entity must assess whether the safeguard is reasonable and appropriate for its environment. If it is, the entity must implement it. If it is not, the entity must document why and implement an equivalent alternative measure. "Addressable" does not mean "optional." It means the entity must either implement the standard, implement an alternative that achieves the same protection, or document why neither is reasonable (which is difficult to defend in an enforcement action).
Encryption is the most frequently misunderstood addressable specification. Encryption of ePHI at rest and in transit is "addressable," which some organizations interpret as "optional." OCR has made clear in guidance and enforcement actions that encryption is expected in virtually all circumstances, and that the addressable designation requires documented justification if encryption is not implemented, not blanket exemption.
The risk analysis (§164.308(a)(1)(ii)(A)) is the single most important HIPAA Security Rule requirement. It requires covered entities and business associates to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information."
The risk analysis must: identify all systems that create, receive, maintain, or transmit ePHI; identify threats and vulnerabilities to those systems; assess the likelihood and impact of potential threats; determine the current level of risk; and document the assessment. The risk analysis is not a one-time project. It must be updated when significant changes occur (new systems, new threats, organizational changes) and reviewed periodically.
OCR's enforcement history demonstrates the risk analysis's centrality: the absence of a comprehensive, current risk analysis is the most common finding in HIPAA enforcement actions. Organizations that cannot produce a documented risk analysis covering their full ePHI environment face the strongest enforcement exposure.
The HIPAA Breach Notification Rule (§164.400-414) requires notification when unsecured ePHI is breached:
Individual notification: notify affected individuals within 60 days of discovery. Notification must include: a description of the breach, the types of information involved, steps individuals should take, what the entity is doing, and contact information.
HHS notification: notify the Secretary of HHS. Breaches affecting 500+ individuals must be reported within 60 days and are posted on the HHS "Wall of Shame" (the OCR Breach Portal). Breaches affecting fewer than 500 individuals may be reported annually.
Media notification: breaches affecting 500+ individuals in a single state or jurisdiction require notification to prominent media outlets in that jurisdiction.
The safe harbor: if the breached ePHI was encrypted in accordance with NIST standards and the encryption key was not compromised, the breach is not considered a breach of "unsecured" PHI, and notification is not required. This safe harbor is the strongest compliance incentive for encryption.
Healthcare organizations experience more data breaches per capita than any other industry. The IBM Cost of a Data Breach Report consistently ranks healthcare as the highest-cost industry for breaches, with an average cost of $9.77 million per breach in 2024 (nearly double the cross-industry average of $4.88 million). Healthcare data is valuable on the black market because it contains personally identifiable information, insurance information, and medical history that enables identity theft, insurance fraud, and extortion.
The Change Healthcare ransomware attack (2024) disrupted healthcare payment processing nationwide, affected over 100 million individuals, and cost UnitedHealth Group over $1 billion. The attack exploited a remote access portal without MFA, a basic control that HIPAA's access control standards address.
OCR enforcement has become more aggressive. Resolution agreements (settlements) have reached $16 million (Anthem, 2018) and $13 million (Banner Health, 2023). State attorneys general have concurrent enforcement authority under the HITECH Act and have pursued their own actions. Class action lawsuits following healthcare breaches routinely cite HIPAA violations as evidence of negligence.
The proposed HIPAA Security Rule update (announced 2024, NPRM expected 2025) would strengthen requirements significantly: making encryption of ePHI at rest and in transit required (not addressable), mandating multi-factor authentication, requiring vulnerability scanning and penetration testing, and establishing specific patch management timelines. The update reflects OCR's recognition that the 2003 Security Rule has not kept pace with the current threat landscape.
The HITECH Act extended HIPAA enforcement directly to business associates. Before HITECH, covered entities were responsible for their business associates' compliance through contractual requirements (BAAs). After HITECH, OCR can enforce directly against business associates that violate the Security Rule. Cloud providers, EHR vendors, IT service providers, and any other entity that handles ePHI must comply with HIPAA's Security Rule standards independently, not just contractually.
HIPAA maps across all six PDM domains:
| HIPAA Safeguard | PDM Domain | Key Controls | |----------------|-----------|-------------| | Administrative (risk analysis, workforce security, training, incident response, contingency) | RGA, SPH | Risk assessment, access management, awareness training, IR planning, BCP/DR | | Physical (facility access, workstation security, device/media controls) | SPH, DPS | Physical access controls, endpoint security, secure disposal | | Technical (access control, audit, integrity, authentication, transmission security) | IAT, TID, DPS | MFA, unique user ID, audit logging, encryption, monitoring |
CDA's Healthcare FRM (Foundational Recon Mission) variant adds HIPAA-specific assessment components: ePHI inventory (where does ePHI reside?), BAA inventory (which business associates handle ePHI?), risk analysis currency (when was the last risk analysis conducted?), and breach notification readiness (does the organization have a tested notification process?).
CDA's Perpetual Compliance Assurance (PCA) methodology addresses the continuous compliance challenge. "Compliance is not an event. It is a state." HIPAA compliance is not an annual risk analysis followed by 11 months of inattention. PCA ensures that risk analysis is updated when the environment changes, that controls are monitored continuously, that training is delivered regularly, and that audit evidence is collected automatically.
Four TOP missions connect directly to HIPAA compliance:
CDA approaches HIPAA with one emphasis: the risk analysis is not a document. It is an operational process. Organizations that produce a risk analysis report, file it, and do not update it until the next audit have a document, not a risk management program. CDA's risk analysis is integrated into the FRM and Posture Score: every ePHI system is assessed, the posture is scored, and the score is tracked continuously. When a new ePHI system is deployed or a business associate changes, the risk analysis updates because the posture monitoring detects the change.
Word count: 2,087
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.