‍

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 that authorizes the U.S. Department of Health and Human Services (HHS) to set and enforce national standards for protecting sensitive patient health information.

‍

Due to the complexities of safeguarding health information, HIPAA introduced several regulatory standards, or “Rules,” that define how protected health information (PHI) should be safeguarded. The three most important rules are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

‍

This guide focuses on the HIPAA Security Rule, which sets standards for a risk-based approach to protecting electronic PHI (ePHI). We’ll break down:

‍

• What the Security Rule is, and why it matters
• Who must comply
• How to achieve compliance (and potential compliance challenges)

‍

What is the HIPAA Security Rule?

The Security Rule is one of several Rules established under HIPAA to help covered entities and business associates protect sensitive health information with practical safeguards. Finalized in 2003, the Security Rule sets national standards for safeguarding ePHI, which refers to any PHI that is created, stored, transmitted, or received electronically. Examples include:

‍

• Electronic health records (EHRs)
• Electronic prescriptions (e-prescriptions)
• Appointment scheduling systems
• Digital patient notes and appointment records
• Patient billing information stored in electronic systems

‍

The Security Rule was strengthened by the HIPAA Omnibus Rule of 2013, which extended its compliance obligations directly to business associates and clarified requirements for conducting and documenting risk analysis.

‍

Although the Security and Privacy Rules are closely related, they serve distinct purposes. While the Security Rule focuses on how to protect ePHI, the latter governs who can see and use the health information of patients, and under what circumstances. The table below outlines how their purpose and safeguards differ:

‍

‍

{{cta_withimage13="/cta-blocks"}} | HIPAA compliance checklist

‍

Why does the Security Rule matter?

The HIPAA Security Rule establishes a “federal floor” for protecting ePHI, meaning in-scope organizations must meet or exceed the Security Rule’s requirements to ensure the confidentiality, integrity, and availability of ePHI. Organizations with more advanced security programs may implement stricter controls, provided they satisfy the Security Rule’s baseline requirements.

‍

The Security Rule addresses how to protect ePHI through administrative, physical, and technical safeguards, as well as risk management practices. It works with the Privacy Rule, which governs when and under what circumstances PHI (including oral, written, and electronic forms) can be used or disclosed.

‍

For example, The Privacy Rule allows disclosures without patient authorization for treatment, payment, and healthcare operations. However, for most other use cases (such as marketing or certain types of research), explicit patient authorization is required.

‍

Who needs to comply with the HIPAA Security Rule?

The HIPAA Security Rule is mandatory for all covered entities that handle ePHI as part of HIPAA-regulated transactions, including healthcare providers, health plans, and healthcare clearinghouses. Additionally, compliance is mandatory for business associates,  or entities that create, receive, maintain, or transmit ePHI on behalf of covered entities. Common examples include IT service providers, billing companies, software vendors, and cloud storage vendors.

‍

The U.S. Department of Health and Human Services (HHS) enforces the Security Rule, specifically through its Office for Civil Rights (OCR). The OCR investigates violations and may impose penalties, such as corrective action plans or fines. However, in case of willful HIPAA breaches or criminal misconduct, enforcement shifts to the U.S. Department of Justice (DoJ), which has the authority to pursue criminal charges.

‍

Note that the Security Rule applies only to ePHI. If covered entities and business associates share sensitive health information verbally or in paper form, those activities are regulated primarily by the HIPAA Privacy Rule.

‍

How to achieve HIPAA Security Rule compliance

To comply with the HIPAA Security Rule, your organization must implement different measures to protect ePHI. These requirements generally fall into two key categories:

‍

1. Safeguards
2. Organizational requirements

‍

Many of the criteria under the Security Rule overlap with other well-known industry frameworks, such as HITRUST, SOC 2, and ISO 27001. If your organization already meets or is pursuing these standards, you’ll likely find your HIPAA compliance efforts streamlined.

‍

{{cta_withimage39="/cta-blocks"}} | The Healthcare compliance checklist

‍

1. Safeguards

Under the HIPAA Security Rule, safeguards are the specific measures organizations must implement to protect ePHI. These safeguards are grouped into three categories:

‍

‍

To account for differences in size, complexity, and resources, the HIPAA Security Rule categorizes its implementation specifications as:

‍

1. Required: Must be implemented exactly as outlined by HIPAA. For example, conducting regular risk analysis to identify potential threats and vulnerabilities to ePHI.
2. Addressable: These are mandatory but flexible. Organizations must evaluate whether an addressable measure is reasonable and appropriate based on their specific risks, resources, and operations. If a particular safeguard isn't suitable, the organization must document why and provide an acceptable alternative. For example, automatically logging out users after a period of inactivity is an addressable safeguard. An organization might decide that a 15-minute timeout on unattended workstations is appropriate to reduce the risk of unauthorized access.

‍

2. Organizational requirements

Alongside safeguards, the Security Rule outlines specific organizational requirements that covered entities and their business associates must follow to stay compliant. 

‍

A critical requirement is establishing a business associate agreement (BAA). This legally binding contract specifies how business associates must safeguard ePHI handled on behalf of covered entities. A BAA typically outlines:

‍

• Permitted uses and disclosures of ePHI
• Required security measures and safeguards
• The obligation to report breaches or non-compliance

‍

Other important organizational requirements under the Security Rule include:

‍

1. Policies and procedures: Develop, document, and maintain comprehensive policies that reflect Security Rule requirements for protecting ePHI.
2. Availability: Ensure systems that store or manage ePHI remain accessible as needed for patient care and essential business operations.
3. Documentation: Retain documentation of all compliance-related decisions, risk analysis, policies, and actions for at least six years.
4. Updates: Regularly review policies, procedures, and safeguards y to reflect changes in technology, operations, or risks.

‍

Maintaining accurate documentation and keeping policies up to date can place a significant burden on compliance teams, as these ongoing tasks require dedicated time, cross-functional coordination, and a clear understanding of the evolving risk landscape.

‍

HIPAA Security Rule: Potential compliance challenges

While the HIPAA Security Rule clearly defines what regulated entities must achieve to protect ePHI, it does not specify exactly how those goals should be met. Instead, it allows organizations to tailor their approach based on:

‍

1. The size, complexity, and capabilities of the organization
2. The technical infrastructure in place, including available hardware and software
3. The costs associated with different security measures
4. The likelihood and potential risks to ePHI

‍

While this flexibility helps organizations achieve compliance, the lack of clear implementation guidelines can confuse teams. Not knowing where to start or how to prove they’re doing enough can often slow down the compliance process, especially for smaller organizations or those navigating HIPAA for the first time.

‍

“

One of the most overlooked challenges with HIPAA Security Rule compliance is treating it as a one-and-done task. Compliance demands ongoing effort. Regular risk assessments are fine, but I’d go a step further and recommend conducting tabletop incident simulations to stress-test your response plans, as the threat landscape is constantly evolving. For example, you might have assessed risks around your AI systems once, but new attack vectors are emerging all the time. The real question is: Have you revisited those risks since? Or implemented proactive measures?"

Marsel Fazilov

GRC Security Program Manager, Vanta

|

LinkedIn

‍

Compliance and privacy teams also struggle with the continuous workload, especially when processes are managed manually. One effective strategy for reducing workflow fatigue is adopting automation tools like Vanta that streamline risk assessments, policy updates, documentation, and evidence collection.

‍

Vanta: The smarter way to stay HIPAA-compliant

As an end-to-end trust management platform, Vanta can help your organization continuously monitor the requirements of HIPAA, including the Security Rule. It streamlines HIPAA compliance by providing expert guidance, built-in resources, and automated security control monitoring.

‍

Here are some features in Vanta’s HIPAA product that can ease your compliance workflows:

‍

• 375+ integrations with business tools
• Automated evidence collection and related control testing
• Real-time monitoring of your security posture
• Pre-built policy templates and an in-app policy editor
• Instant security reports and security training management

‍

If your organization is already compliant with frameworks like SOC 2, ISO 27001, or HITRUST, Vanta’s in-built evidence cross-mapping can align your evidence with HIPAA requirements. This way, you can streamline your compliance process across multiple standards within one platform and avoid duplicative work.

‍

Schedule a demo and see how Vanta can automate your HIPAA compliance process.

‍

{{cta_simple18="/cta-blocks"}} | HIPAA product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.