Sign Up
Back to Guides
ComplianceAdvanced60 min read

HIPAA Security Rule Complete

164 controls mapped with implementation guidance, PHI inventory templates, and risk analysis frameworks that pass OCR audits.

SBK Security Team
Healthcare Practice
Updated October 2024

Introduction#

The HIPAA Security Rule establishes national standards for protecting electronic Protected Health Information (ePHI). This guide provides a comprehensive implementation framework that addresses all 164 controls across administrative, physical, and technical safeguards.

Detail Level

We focus on practical implementation strategies that satisfy OCR audit requirements while remaining operationally feasible for organizations of all sizes.

Understanding HIPAA Requirements#

HIPAA compliance involves multiple rules, but the Security Rule is the technical foundation. Understanding the hierarchy helps prioritize implementation efforts.

Required vs. Addressable

The Security Rule distinguishes between "Required" and "Addressable" specifications. Required means mandatory implementation. Addressable means you must assess whether the control is reasonable and appropriate— if not, you must document why and implement an equivalent alternative.

Privacy Rule

Governs use and disclosure of PHI. Establishes patient rights and limits on data sharing.

Security Rule

Technical and operational safeguards for ePHI. Focus of this guide.

Breach Notification Rule

Requirements for notifying individuals, HHS, and media of breaches.

Omnibus Rule

2013 updates extending requirements to business associates and enhancing enforcement.

Risk Analysis Foundation#

Risk Analysis is the foundation of HIPAA compliance. It informs all security decisions and must be documented thoroughly.

1

Identify ePHI Locations

Document every system, device, and application that creates, receives, maintains, or transmits ePHI. Include cloud services, mobile devices, and paper that gets scanned.

2

Identify Threats and Vulnerabilities

For each ePHI location, identify potential threats (malware, unauthorized access, natural disasters) and vulnerabilities (unpatched systems, weak passwords, lack of encryption).

3

Assess Current Controls

Document existing security measures and their effectiveness. Identify gaps where controls are missing or inadequate.

4

Determine Risk Levels

Evaluate likelihood and impact of each threat-vulnerability combination. Prioritize risks for remediation.

5

Document and Remediate

Create a risk register with all identified risks, current controls, and remediation plans. This becomes your compliance roadmap.

⚠️

Common Mistake

One-time risk assessments are insufficient. HIPAA requires ongoing risk analysis—at minimum annually and whenever significant changes occur to your environment or operations.

Administrative Safeguards#

Administrative safeguards are policies and procedures to manage the selection, development, and maintenance of security measures. They represent about 50% of the Security Rule requirements.

Physical Safeguards#

Physical safeguards protect electronic systems and data from unauthorized physical access, tampering, and theft.

Detail Level

Focus on facility access controls, workstation security, and device disposal. These controls prevent unauthorized physical access to ePHI.

Technical Safeguards#

Technical safeguards are the technology and policies for protecting ePHI and controlling access to it. These are the controls most familiar to security professionals.

💡

Encryption Best Practice

While encryption is "addressable," not implementing it creates significant breach liability. If unencrypted ePHI is breached, you must notify affected individuals. Encryption provides a safe harbor from breach notification requirements.

Business Associate Management#

Business Associate are now directly liable under HIPAA. You must maintain Business Associate Agreements (BAAs) with all vendors that access ePHI.

1

Inventory Business Associates

Document all vendors with potential ePHI access. Include cloud services, IT support, shredding companies, and consultants.

2

Execute BAAs

Ensure valid BAAs are in place before sharing any ePHI. BAAs must include specific provisions required by the Security Rule.

3

Assess BA Security

Conduct due diligence on business associate security practices. Request SOC 2 reports, HIPAA attestations, or conduct security questionnaires.

4

Monitor Ongoing Compliance

Periodically review business associate compliance. Include provisions in BAAs for audit rights and breach notification.

Breach Preparedness#

Despite best efforts, breaches can occur. Preparation ensures you can respond effectively while meeting notification requirements.

Breach Notification Timeline

You must notify affected individuals within 60 days of discovering a breach. For breaches affecting 500+ individuals, you must also notify HHS and local media within 60 days.

Next Steps#

HIPAA compliance is an ongoing journey. Here's how to get started.

1

Conduct Risk Analysis

If you haven't completed a formal risk analysis, this is your first priority. Use our risk analysis template or engage expert assistance.

2

Gap Assessment

Compare your current controls against all Security Rule requirements. Prioritize gaps based on risk severity.

3

Remediation Roadmap

Create a prioritized plan to address identified gaps. Focus on high-risk items and required specifications first.

Get Expert Help

HIPAA compliance can be complex, especially for organizations new to healthcare. Our healthcare compliance specialists can guide your implementation. Schedule a consultation to discuss your specific situation.
hipaahealthcarephicomplianceocr
All Guides