Your security and compliance glossary

All the terms you need to know when you’re trying to get compliance audit ready, fast.

Show filters

What are the HIPAA Safeguards?

HIPAA Safeguards are the administrative, technical, and physical safeguards that covered entities are required to maintain by the terms of the HIPAA Security Rule to protect individuals’ electronic protected health information (ePHI).

The Security Rule defines Administrative Safeguards as “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” The Administrative Safeguards comprise more than half of the HIPAA Security Requirements. Administrative Safeguards include: 

  • Implementation of a Security Management Process
  • Designation of Security Personnel
  • Implementation of Information Access Management policies and procedures for authorizing access to ePHI
  • Provision of Workforce Training and Management
  • Performance of regular Evaluations against the requirements of the Security Rule

The Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” The Technical Safeguards include:

  • Implementation of Access Control policies and procedures that allow only authorized persons to access ePHI
  • Implementation of Audit Controls to record and examine access and other activity in information systems that contain or use ePHI
  • Implementation of Integrity Controls, policies, and procedures to ensure ePHI is not destroyed or improperly altered
  • Implementation of technical security measures to ensure Transmission Security—guarding against unauthorized access to ePHI transmitted over an electronic network

The Security Rule defines Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.” The Physical Safeguards include:

  • Management of Facility Access and Control, a covered entity must limit physical access to its facilities while ensuring that authorized access is allowed
  • Implementation of Workstation and Device Security policies and procedures to specify proper use of and access to workstations and electronic media

{{cta_withimage13="/cta-modules"}}

Additional resources you might like:

Compliance
Blog
How to handle risk management under growing regulatory pressure: Best practices in 2026

Learn how to align risk management and regulations to navigate the business landscape.

Compliance
Blog
What Is a risk register? Best practices for keeping It actionable

Learn what a risk register is and how modern GRC teams should use it.

Compliance
Blog
What is Enterprise Risk Management (ERM)? Everything you need to know

Explore modern enterprise risk management (ERM) and what makes it a strategic business discipline

Additional resources you might like:

Compliance
Blog
How to handle risk management under growing regulatory pressure: Best practices in 2026

Learn how to align risk management and regulations to navigate the business landscape.

Compliance
Blog
What Is a risk register? Best practices for keeping It actionable

Learn what a risk register is and how modern GRC teams should use it.

Compliance
Blog
What is Enterprise Risk Management (ERM)? Everything you need to know

Explore modern enterprise risk management (ERM) and what makes it a strategic business discipline

GRC
Events
What is GRC Engineering? A fresh take on an old space

Join Lovable and Vanta for an exclusive virtual event on what modern GRC actually looks like when it is done right.

GRC
Blog
Building a risk taxonomy: A guide to classifying risks

Learn how to classify and prioritize risks using a structured risk taxonomy.

GRC
Blog
Understanding inherent risk vs residual risk—and why the gap matters

Learn about inherent and residual risk beyond definitions and see how they influence decisions.

Compliance
Events
Agentic compliance in action with Vanta and Claude

Register to learn how Vanta's MCP Server brings your compliance program directly into Claude.

GRC
Blog
How to write a risk appetite statement in 5 steps

A risk appetite statement isn’t useful unless it drives decisions. Learn how to create one with clear thresholds that help align action with your risk appetite.

GRC
Blog
Risk appetite and risk tolerance: What’s the difference?

Learn what risk appetite and risk tolerance mean, how they differ and formalize them at scale.