Skip to main content
> HIPAA

Health Insurance Portability and Accountability Act

Protecting patient health information through mandated security safeguards

Established: 1996 (Security Rule effective 2005) Last Updated: 2013 (Omnibus Rule) Scope: United States
750,000+
Covered Entities

What does the HIPAA Security Rule require?

The HIPAA Security Rule requires covered entities and their business associates to protect electronic protected health information (ePHI) through administrative, physical, and technical safeguards. Core requirements include a risk analysis, a designated Security Official, access controls, audit logging, encryption where reasonable, workforce training, and business associate agreements. HIPAA is flexible by design: safeguards scale to the size and complexity of the organization, but the risk analysis and the named Security Official are not optional. The HHS Office for Civil Rights enforces the rule, with penalties reaching over $2 million per violation category per year.

// What is HIPAA?

HIPAA establishes national standards for protecting sensitive patient health information from disclosure without patient consent. The law applies to healthcare providers, health plans, and healthcare clearinghouses, along with their business associates who handle protected health information (PHI).

The Security Rule specifically requires covered entities to implement administrative, physical, and technical safeguards ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI). Organizations must conduct risk assessments, implement appropriate controls, and maintain documentation demonstrating compliance efforts.

Enforcement has intensified significantly since 2018, with the Office for Civil Rights (OCR) pursuing both large health systems and small practices for violations. The 2013 Omnibus Rule expanded business associate liability and strengthened breach notification requirements.

Proposed Update: Not Yet Final

In December 2024 the HHS Office for Civil Rights proposed the first major overhaul of the HIPAA Security Rule since 2003 (published in the Federal Register on January 6, 2025). The public comment period closed March 7, 2025. As of mid-2026 the rule is still proposed: not finalized and not withdrawn, after a January 2025 regulatory freeze and heavy industry pushback pushed it past its targeted timeline. Nothing below is law yet, but it signals where HIPAA security is heading and what to start preparing for now.

  • No more "addressable" safeguards

    The proposal removes the required-versus-addressable distinction. Controls such as encryption of ePHI and multi-factor authentication would become mandatory, though organizations would still choose how to implement them.

  • Encryption and MFA required

    Encryption of ePHI at rest and in transit, and multi-factor authentication for systems that access ePHI, would be required rather than discretionary.

  • Asset inventory and network map

    Covered entities and business associates would maintain a written inventory of technology assets and a map of how ePHI moves through their systems, reviewed at least annually.

  • Regular testing and review

    The proposal adds penetration testing at least once a year, vulnerability scanning at least every six months, and written policies that are reviewed and tested on a set schedule.

// Inside the Regulation

The HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) establishes the standards most relevant to cybersecurity programs. It's structured around three safeguard categories, each containing required and addressable implementation specifications.

1

Administrative Safeguards

§164.308

The largest section covering policies and procedures governing ePHI protection. These controls address organizational behavior and workforce management.

Risk Analysis & Management

Required assessment of potential risks to ePHI, plus measures to reduce them to reasonable levels. This is where most OCR enforcement actions originate.

Workforce Security

Authorization procedures, clearance processes, and termination protocols ensuring only appropriate personnel access ePHI.

Security Awareness Training

Ongoing education including phishing awareness, password management, and security reminders for all workforce members.

Contingency Planning

Data backup plans, disaster recovery procedures, and emergency mode operations ensuring ePHI availability during crises.

Business Associate Management

Written contracts (BAAs) requiring partners to implement equivalent safeguards when handling PHI.

2

Physical Safeguards

§164.310

Controls protecting the physical infrastructure housing ePHI systems and the hardware itself.

Facility Access Controls

Policies and procedures limiting physical access to electronic information systems and facilities housing them.

Workstation Security

Physical safeguards for workstations accessing ePHI, including positioning and access restrictions.

Device and Media Controls

Procedures governing hardware disposal, media reuse, and movement of devices containing ePHI.

3

Technical Safeguards

§164.312

The technology and policies protecting ePHI and controlling access. These are the controls security teams implement and monitor daily.

Access Controls

Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.

Audit Controls

Hardware, software, and procedural mechanisms recording and examining system activity containing ePHI.

Integrity Controls

Policies and procedures protecting ePHI from improper alteration or destruction.

Transmission Security

Technical measures guarding against unauthorized access to ePHI transmitted over networks.

Note: The Security Rule distinguishes between 'required' specifications (must implement) and 'addressable' specifications (implement if reasonable, or document why an alternative provides equivalent protection). Addressable does not mean optional. Organizations must either implement the specification or document why it's not reasonable and what alternative measures they've adopted.

// Who Must Comply

  • 1 Healthcare providers transmitting health information electronically (hospitals, clinics, physicians, dentists, pharmacies)
  • 2 Health plans (health insurers, HMOs, employer-sponsored plans, government programs like Medicare/Medicaid)
  • 3 Healthcare clearinghouses processing nonstandard health information
  • 4 Business associates handling PHI on behalf of covered entities (IT vendors, billing companies, cloud providers, consultants)
  • 5 Subcontractors of business associates with PHI access

// Key Requirements

Risk Assessment

Conduct accurate and thorough assessments of risks to ePHI confidentiality, integrity, and availability

Access Management

Implement role-based access controls ensuring workforce members only access PHI necessary for their functions

Encryption

Encrypt ePHI at rest and in transit, or document why encryption is not reasonable and implement equivalent measures

Breach Notification

Notify affected individuals within 60 days of breach discovery, plus HHS and media for breaches affecting 500+ individuals

Documentation

Maintain written policies, procedures, and evidence of compliance activities for six years

Training

Provide regular security awareness training to all workforce members with PHI access

// Enforcement & Penalties

OCR enforces HIPAA through investigations and audits, with penalties based on the level of negligence. Willful neglect violations carry the steepest fines, while organizations demonstrating good-faith compliance efforts may receive reduced penalties.

Maximum Penalty

$1.5 million per violation category per year

Examples:

  • Anthem Inc. - $16 million settlement for breach affecting 79 million individuals
  • Premera Blue Cross - $6.85 million for breach affecting 10.4 million
  • Banner Health - $1.25 million for lack of risk analysis and risk management

// Cyber Insurance Impact

Cyber insurers increasingly require documented HIPAA compliance programs before issuing policies to healthcare organizations. Claims involving PHI breaches trigger policy provisions requiring evidence of Security Rule compliance. Inadequate HIPAA programs can result in coverage denials or significantly increased premiums. Many insurers now require annual risk assessments and penetration testing as coverage conditions.

// Common Questions

Who must comply with HIPAA?

HIPAA applies to covered entities (health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically) and to their business associates (vendors that handle ePHI on their behalf, such as cloud providers, billing companies, and IT firms). Business associates are directly liable for Security Rule compliance and must sign a business associate agreement with each covered entity they serve.

Does HIPAA require penetration testing?

HIPAA does not name penetration testing as an explicit requirement, but the Security Rule requires a risk analysis and periodic evaluation of security controls (45 CFR 164.308(a)(8)). HHS guidance and OCR enforcement treat technical testing, including penetration testing and vulnerability scanning, as a reasonable way to meet the evaluation standard. For most organizations handling significant ePHI, regular testing is the practical path to defensible compliance.

Can a virtual CISO serve as the HIPAA Security Official?

HIPAA requires a single named Security Official responsible for the security program (45 CFR 164.308(a)(2)), but it does not require that person to be an employee. Many covered entities and business associates assign the role to an outside expert while keeping internal accountability. A virtual CISO can serve as or support the Security Official, bringing program leadership that small teams often lack in-house.

Is the HIPAA Security Rule changing in 2025 or 2026?

A change is proposed but not yet in effect. In December 2024 the HHS Office for Civil Rights published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule for the first time since 2003. It would make encryption and multi-factor authentication mandatory, remove the "addressable" safeguard category, and add written asset inventories, network mapping, annual penetration testing, and vulnerability scanning every six months. The comment period closed in March 2025; as of mid-2026 the rule is not final and could still change, be delayed, or be withdrawn. Treat it as a strong signal of where to invest, not yet a requirement.

// Related Frameworks

// Industries That Need HIPAA

These industries commonly require HIPAA compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873