HIPAA · Security Rule · 45 CFR Part 164
The HIPAA
Security Rule
The HIPAA Security Rule requires every covered entity and business associate to protect electronic Protected Health Information (ePHI) through three families of safeguards — administrative, physical, and technical — that together preserve its confidentiality, integrity, and availability.
Safeguards span administrative, physical, and technical controls, each with Required and Addressable implementation specifications.
45 CFR Part 164 Subpart C · U.S. Dept. of Health & Human Services (OCR) · Last reviewed June 2026
Direct Answer
What does the HIPAA Security Rule require?
The HIPAA Security Rule requires every covered entity and business associate to protect electronic PHI (ePHI) through three families of safeguards — administrative, physical, and technical — that together preserve the confidentiality, integrity, and availability of that data. It is enforced by the HHS Office for Civil Rights (hhs.gov/hipaa), and a documented risk analysis is the mandatory starting point. Like all of HIPAA, the Security Rule is a compliance obligation rather than a certification — there is no official “HIPAA certificate”; you demonstrate conformance through implemented safeguards and evidence.
The Three Safeguard Families
Administrative, Physical & Technical
The Security Rule organises ePHI protection into three families of safeguards. Each contains standards with Required or Addressable implementation specifications.
Administrative
Policies, procedures, and workforce training
Physical
Facility access and workstation controls
Technical
Access controls, audit logs, encryption
Required vs Addressable
Security Rule specifications are either Required (must implement) or Addressable (assess and implement if reasonable, or document why an equivalent measure is used).
| Safeguard family | Focus | Representative standards |
|---|---|---|
| Administrative | Policies, procedures, and workforce management of security | Security Management Process (incl. risk analysis), assigned security responsibility, workforce security, training, contingency plan |
| Physical | Protecting facilities, equipment, and media that hold ePHI | Facility access controls, workstation use and security, device and media controls (disposal, re-use) |
| Technical | Technology that controls access to and protects ePHI | Access control (unique IDs, auto-logoff, encryption), audit controls, integrity controls, authentication, transmission security |
45 CFR § 164.308
Administrative Safeguards
Administrative actions, policies, and procedures to manage the selection, development, and maintenance of security measures.
Security Management Process
Risk analysis, risk management, sanction policy, information system activity review
Assigned Security Responsibility
Designate a security official responsible for HIPAA compliance
Workforce Security
Authorization, supervision, clearance procedures, termination procedures
Information Access Management
Access authorization, access establishment, access modification
Security Awareness Training
Security reminders, malware protection, login monitoring, password management
Contingency Plan
Data backup, disaster recovery, emergency operations, testing, criticality analysis
45 CFR § 164.310
Physical Safeguards
Physical measures, policies, and procedures to protect electronic information systems and the buildings and equipment that hold them.
Facility Access Controls
Contingency operations, facility security plan, access control, maintenance records
Workstation Use
Policies for proper workstation use and environment
Workstation Security
Physical safeguards restricting access to workstations
Device & Media Controls
Disposal, media re-use, accountability, data backup/storage
45 CFR § 164.312
Technical Safeguards
Technology and the policies and procedures for its use that protect ePHI and control access to it.
Access Control
Unique user ID, emergency access, auto logoff, encryption/decryption
Audit Controls
Hardware, software, and procedural mechanisms to record system activity
Integrity Controls
Mechanisms to authenticate ePHI and protect from improper alteration
Person/Entity Authentication
Verify identity of persons or entities seeking access
Transmission Security
Integrity controls and encryption for ePHI transmission
Frequently Asked Questions
Common questions on the HIPAA Security Rule, safeguards, and risk analysis.
What does the HIPAA Security Rule require?
The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) requires covered entities and business associates to protect electronic Protected Health Information (ePHI) by implementing administrative, physical, and technical safeguards that ensure its confidentiality, integrity, and availability. Unlike the Privacy Rule, which covers PHI in any form, the Security Rule applies specifically to ePHI. It is enforced by the HHS Office for Civil Rights (https://www.hhs.gov/hipaa).
What is the difference between "required" and "addressable" specifications?
Each Security Rule implementation specification is labeled either Required or Addressable. Required specifications must be implemented as written. Addressable specifications are not optional — the entity must assess whether the specification is reasonable and appropriate for its environment, implement it if so, or document why it is not and put an equivalent alternative measure in place. "Addressable" means flexible, not skippable.
Is a Security Risk Assessment mandatory under HIPAA?
Yes. A risk analysis (Security Risk Assessment) is a required implementation specification under the Security Management Process administrative safeguard. Covered entities and business associates must conduct an accurate and thorough assessment of the risks to all ePHI, then implement risk-management measures to reduce those risks to a reasonable level. Missing or inadequate risk analysis is one of the most common findings in OCR enforcement actions.
Does HIPAA require encryption of ePHI?
Encryption is an addressable specification, not a flat requirement — but that does not make it optional. An entity must implement encryption where it is reasonable and appropriate, or document why not and adopt an equivalent safeguard. In practice, encrypting ePHI at rest and in transit is strongly advisable: properly encrypted ePHI that is lost or stolen generally falls within the breach "safe harbor" and is not considered unsecured PHI requiring breach notification.
How do Indian business associates implement the Security Rule?
Indian IT, BPO, and SaaS firms that handle US ePHI are business associates and are directly liable for the Security Rule. They implement the same administrative, physical, and technical safeguards — risk analysis, access controls, audit logging, encryption, workforce training, contingency planning — typically mapped onto an existing ISO 27001 or SOC 2 control environment. Tranquility Cybersecurity helps Indian business associates build this safeguard set and evidence it for US covered entities.
Continue your HIPAA research
- HIPAA compliance hub — the Privacy Rule, Breach Notification, BAAs, and penalties in one place.
- HIPAA consulting for Indian companies — Security Risk Assessments and safeguard implementation (indicative ₹1.5–4L).
- HIPAA for Indian business associates — mapping ePHI safeguards onto ISO 27001 / SOC 2.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
HIPAA Knowledge Hub
Privacy Rule, Security Rule, BAAs, cloud guides and penalties.
Read moreHIPAA Privacy Rule
Use and disclosure standards for protected health information.
Read moreHIPAA Implementation
Phased compliance build for covered entities and business associates.
Read moreHIPAA Cloud Compliance
Running PHI workloads on AWS, Azure and GCP compliantly.
Read moreHIPAA Compliance
US health-data rules for healthtech and business associates.
Read moreISO 27001 Overview
The ISMS standard — the baseline certificate global buyers ask for.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours