Health Insurance Portability and Accountability Act
Protecting patient health information through mandated security safeguards
What does the HIPAA Security Rule require?
The HIPAA Security Rule requires covered entities and their business associates to protect electronic protected health information (ePHI) through administrative, physical, and technical safeguards. Core requirements include a risk analysis, a designated Security Official, access controls, audit logging, encryption where reasonable, workforce training, and business associate agreements. HIPAA is flexible by design: safeguards scale to the size and complexity of the organization, but the risk analysis and the named Security Official are not optional. The HHS Office for Civil Rights enforces the rule, with penalties reaching over $2 million per violation category per year.
// What is HIPAA?
HIPAA establishes national standards for protecting sensitive patient health information from disclosure without patient consent. The law applies to healthcare providers, health plans, and healthcare clearinghouses, along with their business associates who handle protected health information (PHI).
The Security Rule specifically requires covered entities to implement administrative, physical, and technical safeguards ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI). Organizations must conduct risk assessments, implement appropriate controls, and maintain documentation demonstrating compliance efforts.
Enforcement has intensified significantly since 2018, with the Office for Civil Rights (OCR) pursuing both large health systems and small practices for violations. The 2013 Omnibus Rule expanded business associate liability and strengthened breach notification requirements.
In December 2024 the HHS Office for Civil Rights proposed the first major overhaul of the HIPAA Security Rule since 2003 (published in the Federal Register on January 6, 2025). The public comment period closed March 7, 2025. As of mid-2026 the rule is still proposed: not finalized and not withdrawn, after a January 2025 regulatory freeze and heavy industry pushback pushed it past its targeted timeline. Nothing below is law yet, but it signals where HIPAA security is heading and what to start preparing for now.
-
No more "addressable" safeguards
The proposal removes the required-versus-addressable distinction. Controls such as encryption of ePHI and multi-factor authentication would become mandatory, though organizations would still choose how to implement them.
-
Encryption and MFA required
Encryption of ePHI at rest and in transit, and multi-factor authentication for systems that access ePHI, would be required rather than discretionary.
-
Asset inventory and network map
Covered entities and business associates would maintain a written inventory of technology assets and a map of how ePHI moves through their systems, reviewed at least annually.
-
Regular testing and review
The proposal adds penetration testing at least once a year, vulnerability scanning at least every six months, and written policies that are reviewed and tested on a set schedule.
// Inside the Regulation
The HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C) establishes the standards most relevant to cybersecurity programs. It's structured around three safeguard categories, each containing required and addressable implementation specifications.
Administrative Safeguards
§164.308The largest section covering policies and procedures governing ePHI protection. These controls address organizational behavior and workforce management.
Risk Analysis & Management
Required assessment of potential risks to ePHI, plus measures to reduce them to reasonable levels. This is where most OCR enforcement actions originate.
Workforce Security
Authorization procedures, clearance processes, and termination protocols ensuring only appropriate personnel access ePHI.
Security Awareness Training
Ongoing education including phishing awareness, password management, and security reminders for all workforce members.
Contingency Planning
Data backup plans, disaster recovery procedures, and emergency mode operations ensuring ePHI availability during crises.
Business Associate Management
Written contracts (BAAs) requiring partners to implement equivalent safeguards when handling PHI.
Physical Safeguards
§164.310Controls protecting the physical infrastructure housing ePHI systems and the hardware itself.
Facility Access Controls
Policies and procedures limiting physical access to electronic information systems and facilities housing them.
Workstation Security
Physical safeguards for workstations accessing ePHI, including positioning and access restrictions.
Device and Media Controls
Procedures governing hardware disposal, media reuse, and movement of devices containing ePHI.
Technical Safeguards
§164.312The technology and policies protecting ePHI and controlling access. These are the controls security teams implement and monitor daily.
Access Controls
Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption mechanisms.
Audit Controls
Hardware, software, and procedural mechanisms recording and examining system activity containing ePHI.
Integrity Controls
Policies and procedures protecting ePHI from improper alteration or destruction.
Transmission Security
Technical measures guarding against unauthorized access to ePHI transmitted over networks.
Note: The Security Rule distinguishes between 'required' specifications (must implement) and 'addressable' specifications (implement if reasonable, or document why an alternative provides equivalent protection). Addressable does not mean optional. Organizations must either implement the specification or document why it's not reasonable and what alternative measures they've adopted.
// Who Must Comply
- 1 Healthcare providers transmitting health information electronically (hospitals, clinics, physicians, dentists, pharmacies)
- 2 Health plans (health insurers, HMOs, employer-sponsored plans, government programs like Medicare/Medicaid)
- 3 Healthcare clearinghouses processing nonstandard health information
- 4 Business associates handling PHI on behalf of covered entities (IT vendors, billing companies, cloud providers, consultants)
- 5 Subcontractors of business associates with PHI access
// Key Requirements
Risk Assessment
Conduct accurate and thorough assessments of risks to ePHI confidentiality, integrity, and availability
Access Management
Implement role-based access controls ensuring workforce members only access PHI necessary for their functions
Encryption
Encrypt ePHI at rest and in transit, or document why encryption is not reasonable and implement equivalent measures
Breach Notification
Notify affected individuals within 60 days of breach discovery, plus HHS and media for breaches affecting 500+ individuals
Documentation
Maintain written policies, procedures, and evidence of compliance activities for six years
Training
Provide regular security awareness training to all workforce members with PHI access
// Enforcement & Penalties
OCR enforces HIPAA through investigations and audits, with penalties based on the level of negligence. Willful neglect violations carry the steepest fines, while organizations demonstrating good-faith compliance efforts may receive reduced penalties.
$1.5 million per violation category per year
Examples:
- Anthem Inc. - $16 million settlement for breach affecting 79 million individuals
- Premera Blue Cross - $6.85 million for breach affecting 10.4 million
- Banner Health - $1.25 million for lack of risk analysis and risk management
// Cyber Insurance Impact
Cyber insurers increasingly require documented HIPAA compliance programs before issuing policies to healthcare organizations. Claims involving PHI breaches trigger policy provisions requiring evidence of Security Rule compliance. Inadequate HIPAA programs can result in coverage denials or significantly increased premiums. Many insurers now require annual risk assessments and penetration testing as coverage conditions.
// How Breach Craft Helps
We help organizations achieve HIPAA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of HIPAA.
Gap Assessment
Measure your security against industry standards.
Penetration Testing
Find the gaps before attackers do.
Virtual CISO
Executive security leadership on demand.
Tabletop Exercises
Practice your incident response.
Application Testing
Find what scanners miss.
Wireless Security Testing
Secure your wireless infrastructure.
// Common Questions
Who must comply with HIPAA?
Does HIPAA require penetration testing?
Can a virtual CISO serve as the HIPAA Security Official?
Is the HIPAA Security Rule changing in 2025 or 2026?
// Industries That Need HIPAA
These industries commonly require HIPAA compliance as part of their regulatory obligations.
Guide last reviewed: June 15, 2026
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873