The HIPAA Security Rule establishes national standards for protecting electronic protected health information (ePHI). Unlike the HIPAA Privacy Rule, which addresses the use and disclosure of health information broadly, the Security Rule focuses specifically on the technical and operational safeguards that covered entities and business associates must implement to protect ePHI in electronic form. Understanding these requirements — and implementing them through a structured controls framework — is essential for healthcare organizations, health plans, healthcare clearinghouses, and the growing ecosystem of technology vendors that handle health data.
The Structure of the Security Rule
The Security Rule organizes its requirements into three categories of safeguards: Administrative, Physical, and Technical. Within each category, the rule defines standards (broad objectives) and implementation specifications (specific actions). Implementation specifications are classified as either “required” or “addressable,” a distinction that is widely misunderstood and worth clarifying upfront.
Required specifications must be implemented exactly as described. There is no flexibility here.
Addressable specifications do not mean optional. When a specification is addressable, the organization must assess whether it is a reasonable and appropriate safeguard in its environment. If it is, the organization must implement it. If it is not, the organization must document why and implement an equivalent alternative measure that achieves the same protective objective. Simply deciding not to implement an addressable specification without documented justification is a compliance violation.
Administrative Safeguards (Section 164.308)
Administrative safeguards account for more than half of the Security Rule’s requirements. They establish the management framework for protecting ePHI.
Security Management Process (Required)
Organizations must implement policies and procedures to prevent, detect, contain, and correct security violations. This standard has four implementation specifications:
- Risk analysis (Required): Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. This is the foundation of HIPAA compliance. The Office for Civil Rights (OCR) has consistently cited inadequate risk analysis as the most common finding in enforcement actions. A compliant risk analysis must identify all systems that create, receive, maintain, or transmit ePHI, evaluate threats and vulnerabilities for each, assess the likelihood and impact of potential incidents, and determine the appropriate level of risk.
- Risk management (Required): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Sanction policy (Required): Apply appropriate sanctions against workforce members who fail to comply with security policies.
- Information system activity review (Required): Implement procedures to regularly review audit logs, access reports, and security incident tracking.
Workforce Security (Addressable)
Controls governing workforce access to ePHI, including authorization and supervision of workforce members, clearance procedures, and termination processes. When employees change roles or leave the organization, access to ePHI must be promptly modified or revoked.
Information Access Management
This standard includes both required and addressable specifications for managing access to ePHI. Healthcare clearinghouses must isolate their functions if they are part of a larger organization (required). Access authorization and modification processes are addressable, meaning organizations must implement them or document equivalent alternatives.
Security Awareness and Training (Addressable)
Organizations must provide security awareness training to all workforce members, including training on recognizing malicious software, login monitoring, and password management. While the specific training format is addressable, the underlying requirement to maintain an informed workforce is not negotiable.
Security Incident Procedures (Required)
Organizations must identify, respond to, and mitigate security incidents, and document incidents and their outcomes. An incident response plan that covers ePHI-specific scenarios is a baseline requirement.
Contingency Planning
Business continuity and disaster recovery for systems containing ePHI. Required specifications include a data backup plan, disaster recovery plan, and emergency mode operation plan. Testing and revision of contingency plans and assessment of the criticality of applications are addressable.
Evaluation (Required)
Perform periodic technical and nontechnical evaluations to determine the extent to which security policies and procedures meet Security Rule requirements. This must be triggered by environmental or operational changes and conducted on a regular schedule. For a step-by-step audit preparation timeline, see our audit readiness checklist.
Business Associate Contracts (Required)
Written contracts must require business associates to implement appropriate safeguards for ePHI. This requirement extends HIPAA’s reach to the entire supply chain of organizations that handle health data on behalf of covered entities.
Physical Safeguards (Section 164.310)
Physical safeguards protect the physical infrastructure and devices that store or provide access to ePHI.
Facility Access Controls (Addressable)
Policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed. Implementation specifications include contingency operations procedures, facility security plans, access control and validation procedures, and maintenance records.
Workstation Use (Required)
Specify the proper functions to be performed at workstations that access ePHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings.
Workstation Security (Required)
Implement physical safeguards that restrict access to workstations that can access ePHI to authorized users only.
Device and Media Controls
Govern the receipt, removal, movement, and disposal of hardware and electronic media containing ePHI. Required specifications include disposal and media re-use procedures. Accountability tracking and data backup before moving equipment are addressable.
Technical Safeguards (Section 164.312)
Technical safeguards address the technology and related policies that protect ePHI and control access to it.
Access Control (Required and Addressable)
Implement technical measures to allow only authorized persons to access ePHI. Required specifications include unique user identification and emergency access procedures. Automatic logoff and encryption at rest are addressable — though in practice, encryption of ePHI at rest has become a baseline expectation given the current threat landscape.
Audit Controls (Required)
Implement hardware, software, or procedural mechanisms to record and examine activity in information systems that contain or use ePHI. This means logging access, modifications, and deletions of ePHI with sufficient detail to support forensic investigation.
Integrity (Addressable)
Implement policies and procedures to protect ePHI from improper alteration or destruction. The addressable specification calls for electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
Person or Entity Authentication (Required)
Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be. Multi-factor authentication, while not explicitly named in the original rule text, has become the practical standard for meeting this requirement.
Transmission Security (Addressable)
Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Integrity controls and encryption are both addressable specifications, but transmitting ePHI unencrypted over public networks is difficult to justify in any risk assessment. Healthcare organizations with EU patients must also address GDPR requirements alongside HIPAA.
HIPAA Security Rule Safeguards Summary
| Safeguard Category | Section | Key Specifications | Required/Addressable |
|---|---|---|---|
| Administrative | §164.308 | Security management, workforce security, access management, training, incident procedures, contingency planning, evaluation, BA contracts | Mix of both |
| Physical | §164.310 | Facility access, workstation use, workstation security, device and media controls | Mix of both |
| Technical | §164.312 | Access control, audit controls, integrity, authentication, transmission security | Mix of both |
Key distinction: “Required” specifications must be implemented. “Addressable” specifications must be assessed — if an organization determines a specification is reasonable and appropriate, it must implement it; if not, it must document why and implement an equivalent alternative.
Why a Controls-Based Approach Works Better
The Security Rule’s structure of standards and implementation specifications provides a regulatory framework, but it does not give organizations a practical implementation roadmap. The requirements are written in regulatory language that must be translated into concrete technical and operational controls.
This is where the Secure Controls Framework adds significant value. SCF maps HIPAA Security Rule requirements to specific, actionable controls with clear implementation guidance. Rather than interpreting regulatory text and building controls from scratch, organizations can adopt SCF controls that are already mapped to the corresponding HIPAA standards.
The controls-based approach also solves the multi-framework challenge that healthcare organizations increasingly face. A hospital system may need to comply with HIPAA, meet SOC 2 requirements for its patient portal, satisfy state privacy laws, and align with NIST CSF for overall cybersecurity maturity. Managing each framework independently creates duplicated controls, inconsistent documentation, and inefficient use of limited security resources.
Through SCF, a single access control implementation can satisfy HIPAA’s access control standard (164.312(a)), SOC 2’s CC6 criteria, and NIST CSF’s PR.AC function simultaneously. The mapping is maintained by the SCF community and kept current as frameworks are updated.
How SCF Connect Supports Healthcare Compliance
SCF Connect provides healthcare organizations with practical tools for managing HIPAA compliance within a broader control framework:
- Complete HIPAA Security Rule mapping: Every standard and implementation specification is mapped to corresponding SCF controls, with clear distinctions between required and addressable specifications.
- Risk analysis support: Assessment workflows guide organizations through systematic evaluation of risks to ePHI, with documentation that aligns with OCR expectations.
- Cross-framework visibility: Manage HIPAA alongside ISO 27001, NIST 800-53, and other applicable frameworks from a single platform, eliminating duplicated compliance efforts.
- Evidence management: Attach policies, configurations, training records, and other artifacts directly to controls. When OCR comes calling or a business associate requests assurance documentation, your evidence is organized and accessible.
- Gap analysis: Identify which HIPAA requirements are fully addressed, partially implemented, or not yet started, with prioritization guidance based on OCR enforcement trends.
HIPAA compliance is not a one-time achievement. The Security Rule explicitly requires ongoing evaluation and adaptation as threats evolve and organizational environments change. SCF Connect provides the infrastructure to maintain continuous compliance rather than periodic scrambles before audits or in response to incidents.
Start your free trial to see how SCF Connect maps your existing controls to HIPAA Security Rule requirements and identifies gaps before regulators do.
Frequently Asked Questions
What are the three safeguard categories under the HIPAA Security Rule?
The HIPAA Security Rule organizes its requirements into three categories: Administrative Safeguards (§164.308), which cover policies, procedures, and workforce management; Physical Safeguards (§164.310), which address facility and device security; and Technical Safeguards (§164.312), which cover access controls, audit logging, encryption, and transmission security.
What is the difference between required and addressable HIPAA specifications?
Required specifications must be implemented as written — there is no flexibility. Addressable specifications require a risk-based assessment: if the specification is reasonable and appropriate for your environment, you must implement it. If not, you must document your rationale and implement an equivalent alternative measure.
What is a HIPAA risk analysis?
A HIPAA risk analysis (required under §164.308(a)(1)) is a comprehensive assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). It forms the foundation of a compliant security program and must be updated regularly as the environment changes.
How does HIPAA relate to other security frameworks?
HIPAA requirements overlap significantly with frameworks like SOC 2, ISO 27001, and NIST CSF. The Secure Controls Framework maps HIPAA safeguards to controls shared across these standards, enabling healthcare organizations to manage multiple frameworks through a single control set.
Related resources:
- HIPAA Compliance with SCF Connect — Framework-specific mapping and coverage details
- SCF Controls Reference — Browse the full SCF control catalog
- SCF Connect Features — Platform capabilities for compliance management
- SOC 2 Compliance Checklist — Managing SOC 2 alongside HIPAA
- NIST CSF Compliance — Aligning your cybersecurity program with NIST CSF