What are the HIPAA Security Rule Safeguards?

Modified on Wed, 20 Dec, 2023 at 12:21 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.



What Are the HIPAA Security Rule Safeguards? 

The HIPAA Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. 


What Are Administrative Safeguards? 

The HIPAA Security Rule administrative safeguards consist of administrative actions, policies, and procedures.  These actions, policies, and procedures are used to manage the selection, development, and implementation of security measures.


The administrative safeguards regulation can be found at 45 C.F.R. 164.308.  This provision is subdivided into 45 CFR 164.308(a) and 45 CFR 164.308(b). 


The security management process standard, 45 CFR 164.308(a)(1), requires a covered entity (CE) or business associate (BA) to “Implement policies and procedures to prevent, detect, contain, and address security violations.”

The standard specifies what measures a CE or BA must take to make this implementation. The specified measures are referred to as “implementation specifications.” The implementation specifications for the security management process standard include:


  1. Performing a security risk analysis.

  2. Conducting risk management.

  3. Applying appropriate sanctions against workforce members who fail to comply with a CE or BA’s security policies and procedures.

  4. Conducting information system activity review. Information system activity review includes regular review of records of information system activity, such as audit logs, access reports, and security incident tracking reports.


The remaining 45 CFR 164.308(a) requirements include:

  1. Designation of a security official, who is responsible for the development and implementation of our Security Rule policies and procedures. (45 CFR 164.308(a)(2)).

  2. Implementing workforce security measures to ensure that all members of the workforce have appropriate access to electronic protected health information; and to prevent those workforce members who are not given access to ePHI, from obtaining such Access. (45 CFR 164.308(a)(3)).

  3. Implementing policies and procedures for authorizing access to electronic protected health information. (45 CFR 164.308(a)(4)).

  4. Implementing a security awareness and training program for all workforce members, including management. (45 CFR 164.308(a)(5)).

  5. Implementing policies and procedures to address security incidents. (45 CFR 164.308(a)(6)).

  6. Establishing (and implementing), as needed, policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. (45 CFR 164.308(a)(7)).

  7. Performing a periodic technical and nontechnical evaluation that establishes the extent to which our security policies and procedures meet the requirements of the Security Rule. (45 CFR 164.308(a)(8)).


45 CFR 164.308(b) provides the requirements for business associate agreements: 


  1. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. 

  2. A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.

The covered entity (in paragraph “1,” above) and the business associate (in paragraph “2,” above) must document the satisfactory assurances through a written contract or other arrangement with the business associate (in paragraph “1,” above) or the business associate subcontractor (in paragraph “2,” above)  that meets specific content requirements. This “written contract or other arrangement” is typically in the form of a business associate agreement. 


What Are Physical Safeguards?

Physical safeguards protect the physical security of facilities where ePHI may be stored or maintained. Common examples of physical safeguards include:


  1. Alarm systems;

  2. Security systems; and 

  3. Locking areas where ePHI is stored.


Physical safeguard control and security measures must include:


  1. Facility Access and Control Measures:  Covered entities and business associates must limit physical access to facilities, while allowing authorized access to ePHI. 

  2. Workstation and Device Security: Covered entities and business associates must: a) Implement policies and procedures to specify proper use of and access to workstations and electronic media; and b) Have policies and procedures for the transfer, removal, disposal, and re-use of electronic media.  



What Are Technical Safeguards?

Technical safeguards include measures – including firewalls, encryption, and data backup – to implement to keep ePHI secure. These safeguards consist of the following: 


Access Controls: Implementing technical policies and procedures that allow only authorized persons to access ePHI.

Audit Controls: Implementing hardware, software, and/or procedural mechanisms to record and examine access in information systems that contain or use ePHI. 

Integrity Controls: Implementing policies and procedures to ensure that ePHI has not been, and will not be, improperly altered or destroyed.
Authentication Controls:  Implementing procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission Security: Implementing technical security measures that guard against unauthorized access to ePHI that is transmitted over an electronic network.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article