HIPAA Security Rule: Implementing Safeguards to Protect ePHI

The HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI protection. Inquire about their implementation specifications.


HIPAA talks generally imply the efficiency and effectiveness of the US healthcare system. However, organizations that are subjected to HIPAA would also mention the long and often complicated road to compliance with its Rules and Regulations. Businesses are especially concerned with implementing the appropriate measures to protect sensitive data. Meanwhile, the HIPAA Security Rule outlines necessary safeguards for ePHI protection and we are going to explain their implementations in more simple terms. 

What is HIPAA Compliance?

The 1996 Healthcare Insurance Portability and Accountability Act (HIPAA) consists of the HIPAA Privacy and Security Rules, the HIPAA Breach Notification Rule, HIPAA Omnibus Rule, and the HIPAA Enforcement Rule. There is no hierarchy in these rules, so organizations have to equally meet the requirements of all of them if they want to achieve full HIPAA compliance.

HIPAA compliance involves fulfilling conditions of the 1996 HIPAA, its subsequent amendments, and any related legislation such as HITECH. So, regardless of their size and complexity, covered entities and business associates must ensure applying all administrative, technical, and physical safeguards required by Security Rule. They must protect the confidentiality, integrity, and availability of PHI using policies stated in the Privacy Rule and follow the procedure in the HIPAA Breach Notification Rule in case any breach of PHI occurs. Finally, organizations must fulfill the HIPAA requirements regarding data breaches and their subsequent mitigation.  

HIPAA Security Rule

This article focuses on the HIPAA Security Rule because it addresses one of the main data security concerns that businesses have: what standards and measures must be applied to safeguard and protect sensitive data? Both covered entities and business associates must know that this rule applies to anybody that has access to electronic protected health information (ePHI). Whereas “ePHI” is individually identifiable information relating to the individual’s health status that is created, collected, transmitted, or maintained in any electronic format or media. At the same time, “access” means having the ability to read, write, modify, or communicate ePHI that could reveal an individual’s identity.

The HIPAA Security Rule outlines appropriate administrative, physical, and technical safeguards for ePHI protection. These safeguards may be achieved through implementing the required policies and procedures. However, the Rule does not contain any specifications regarding “what are compliance policies and procedures?” All these requirements are intentionally vague in order to be equally applicable to every type of organization that creates, accesses, processes, or stores ePHI. 

Implementation specifications

To understand the Security Rule requirements, covered entities and business associates should be aware of the main implementation specifications   For this purpose, we developed a free compliance assessment application, HIPAA Vitals. HIPAA Vitals considers the organization’s technical profile to select appropriate security controls. The assessment is based on reputable sources including the Office of Civil Rights (OCR) Audit Protocol, NIST 800-66 Rev. 1, HIPAA Security Series issued by the Department of Health and Human Services (DHHS), and years of experience implementing HIPAA requirements in different organizations by our professionals.

Flexible vs. scalable 

HHS recognizes that each covered entity is unique and that no totally secure system exists. As such, all the policies and procedures of the HIPAA Security Rule were intentionally designed technology-neutral and scalable (p. 7). It means that they are equally applicable to the smallest of provider practices, the largest of health plans, and their business associates. To decide which measure to use, it is necessary to conduct an accurate risk assessment, evaluate the security measures in place, and take into consideration factors unique to each organization (e.g size, operations). Based on these characteristics, the Rule provides a series of documented solutions to all types of covered entities while affording the flexibility for their implementation.

Required vs. addressable

All safeguards defined in the HIPAA Security Rule involve certain implementation specifications – required or addressable. If policies/procedures are required, the covered entity must implicitly implement those regardless of the organizations’ size, scope, and complexity. If policies/procedures are addressable, then the covered entity must assess the reasonability and appropriateness of implementing this safeguard in its environment based on the above criteria. Such assessments and decisions must be documented for compliance purposes. 

Security Safeguards 

As we already stated, the Security Rule contains administrative, physical, and technical safeguards necessary to keep ePHI safe from unauthorized disclosure, access, or use. Here is a detailed explanation of all these safeguards as well as specifications for their successful implementation. 

Administrative Safeguards 

The Security Rule defines administrative safeguards as “administrative actions, policies, and procedures to manage the implementation, selection, and maintenance of security measures to protect ePHI and to manage the workforce conduct concerning the protection of that information (p. 2)”.

Administrative safeguards are the key elements of a HIPAA compliance checklist. They demand assigning a Security Officer to put all the measures and policies in place to protect ePHI. Here is a list of questions that covered entities must ask themselves while assessing their compliance:

  • Do you conduct periodic risk assessments to identify potential risks and vulnerabilities to your ePHI?
  • Does your organization have a formal role whose responsibility is to develop policies and controls necessary to comply with the HIPAA Security Rule requirements?
  • Do you train your workforce members on secure computing and PHI data handling?

To better understand how these questions are connected to the Security Rule realities, consider the following administrative safeguards:


Physical Safeguards 

Physical safeguards are “physical measures to protect a covered entity’s electronic information systems as well as related buildings and equipment from natural and environmental hazards, and unauthorized intrusion (p. 2)”. The main standards under physical safeguards are workstation use and security, facility access controls, and device/media controls. Covered entities must implement these safeguards regardless of the physical location of their assets.

Here are some questions to answer while considering the physical safeguards of your information system:

  • Do you have a process for documenting all maintenance, repair, changes, installations performed on your physical security components such as doors, locks, electronic access systems, HVAC, etc?
  • Have you identified physical security requirements for protecting the workstation from unauthorized access?
  • Do you have a system (such as labeling) for easily and accurately identifying your physical media?

The above questions together with the following implementation specification help better understand and assess the level of the organization’s safeguards in protecting ePHI. 

Technical Safeguards 

The technical safeguards are “the technologies as well as the policies and procedures for their use that protect ePHI and control access to it (p.2).” One of the main requirements under this section is data encryption. The main purpose of encryption is to make data unreadable, undecipherable, and unusable in case of any breach. The following questions highlight the importance of technical safeguards in general and the encryption of data in particular:

  • Do you encrypt all ePHI using strong encryption algorithms?
  • Are all workforce members issued a unique user ID? 
  • Do you require a unique user ID and strong passwords for accessing all systems containing ePHI?

The following table demonstrates the implementation specification and mechanisms that are most appropriate to maintain technical safeguards:

Organizational requirements

Covered entities must sign Business Associate Agreements (or contracts) with business associates who have access to ePHI. Such an agreement obligates the business associate to:

  • implement all necessary safeguards to protect ePHI created, received, or transmitted on behalf of the covered entity; 
  • ensure that any agent that have an access to ePHI agrees to implement all necessary safeguards to protect it; 
  • report to the covered entity any security incident of which it becomes aware; 
  • authorize termination of the contract by the covered entity, in case of violation of any material terms of the agreement.

Policies, Procedures, and Documentation Requirements

As we already outlined before, the HIPAA Security Rule intentionally does not specify what policies and procedures must be implemented to comply with its requirements. However, it highlights that these measures must not permit or excuse an action that violates any HIPAA requirement. So, covered entities can implement only reasonable and appropriate procedures as well as change them at any time, provided that the changes are properly documented and implemented.

The HIPAA Security Rule pays special attention to documentation. Thus, organizations must maintain a written record of any action that is required by this Rule. Besides this, covered entities are required to:

  • retain the documentation for 6 years from the date of its creation or the date when it last was in effect (whichever is later);
  • make documentation available to those persons responsible for implementing the procedures to which it pertains;
  • make periodical reviews and updates of documentation according to environmental or operational changes affecting the security of the ePHI.

Successful implementation of the above safeguards and requirements will definitely make your organization closer to HIPAA compliance. 

Learn more about HIPAA Security Rule and get a concise and unbiased analysis of your organization’s compliance with  HIPAA Vitals.


Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646


Leave a Reply