HIPAA addresses security safeguards through the HIPAA Security Rule, which requires HIPAA Covered Entities and applicable Business Associates to implement administrative safeguards, physical safeguards, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information, supported by documented risk analysis, risk management actions, written policies and procedures, workforce training, and ongoing evaluation.
Administrative safeguards under the HIPAA Security Rule include assigned security responsibility, workforce security controls, information access management, security awareness and training, security incident procedures, contingency planning, and periodic evaluation of the security program. A documented risk analysis identifies reasonably anticipated threats and vulnerabilities to electronic protected health information, and risk management measures reduce risks to an appropriate level. Covered Entities and Business Associates are expected to maintain written policies and procedures that align with their systems, workflows, and technology environment, and to maintain documentation required by the HIPAA Security Rule for the required retention period.
Physical safeguards address facility and device protections that reduce unauthorized physical access to electronic protected health information. These safeguards include facility access controls, workstation use controls, workstation security controls, and device and media controls for the receipt, removal, disposal, and reuse of hardware and electronic media. Physical safeguards also include procedures that limit access to areas where systems storing electronic protected health information are located and procedures that manage portable devices and removable media when used in the environment.
Technical safeguards address access to systems and the protection of electronic protected health information in electronic systems and transmissions. These safeguards include unique user identification and other access controls, audit controls that record and examine system activity, integrity controls that protect against improper alteration or destruction, person or entity authentication, and transmission security that protects electronic protected health information when transmitted over electronic communications networks. Security safeguards also apply to vendor relationships when a Business Associate creates, receives, maintains, or transmits electronic protected health information, requiring a written business associate agreement and equivalent safeguards by subcontractors, and security failures that lead to unauthorized access or disclosure may trigger breach evaluation and notification duties under the HIPAA Breach Notification Rule.