Updated for Current HIPAA Security Best practices — Aligned to HHS Security Rule summary and NIST SP 800-66 Rev.2, with practical guidance on MFA, continuous monitoring, and zero trust.

Request a Free HIPAA Risk Assessment — Quick 15-minute setup.

What Does the HIPAA Security Rule Actually Require?

HIPAA’s Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to ensure the confidentiality, integrity, and availability of ePHI through a set of comprehensive safeguards. These safeguards are broken down into three core types: Administrative, Physical, and Technical.

See the OCR audit protocol for how regulators verify compliance. Let’s look at all three.

1. Administrative Safeguards

These are the “people and policies” of HIPAA—the formal, written procedures that govern your workforce and the management of ePHI.

  • Security Management Process: This is the requirement to conduct a formal Security Risk Analysis (SRA) to find threats and implement a Risk Management plan to address them.
  • Information Access Management: Establishes policies for who gets access to ePHI, enforcing the “minimum necessary” principle (or Principle of Least Privilege).
  • Security Awareness and Training: Mandates a formal training program for all staff (including management) on security policies, procedures, and threats like phishing.
  • Contingency Planning: Requires a documented plan for data backup, disaster recovery, and emergency mode operations to protect ePHI during and after a crisis.

2. Physical Safeguards

These are the physical controls to protect your facilities, workstations, and devices from unauthorized physical access.

  • Facility Access Controls: Controls who can physically enter your buildings or offices, including door locks, alarms, security badges, and visitor logs.
  • Workstation Use and Security: Policies for securing all workstations where ePHI is viewed, such as required screen locks, privacy screens, and secure placement away from public areas.
  • Device and Media Controls: Governs the secure handling, disposal (shredding, degaussing), and re-use of media like laptops, servers, and USB drives.

3. The Core of HIPAA’s Security Rule: Technical Safeguards

These are the technology-focused controls you implement in your IT systems.

  • Access Controls
  • Audit Controls
  • Integrity Controls
  • Transmission Security

Explore HIPAA-Compliant Email — Trusted by healthcare providers nationwide.

Secure Your Healthcare Operations with Full HIPAA Compliance

HIPAA Vault provides end-to-end compliance services — from secure hosting to expert risk assessments and 24/7 support.

Get a Free Compliance Assessment

Key HIPAA Technical Safeguards Explained

While administrative and physical safeguards set the foundation, technical safeguards are the hands-on controls in your IT systems.

Access Controls

This safeguard enforces the “minimum necessary” principle at a technical level. It requires implementing Unique User IDs (no shared logins) for accountability, Role-Based Access Control (RBAC) to assign permissions based on job function, and an Emergency Access Procedure (“break-glass” protocol). Access must be reviewed regularly and de-provisioned immediately upon an employee’s termination.

Audit Controls

This requires systems to log and examine activity in systems containing ePHI. Logs must record significant events, such as who accessed ePHI, when they did, and what they modified. Simply collecting logs is not enough; they must be reviewed regularly for anomalies, often with the help of a SIEM (Security Information and Event Management) tool to detect threats.

Integrity Controls

This ensures ePHI is not improperly altered or destroyed, which is critical for patient safety (e.g., protecting allergy or medication data). This is typically achieved with checksums, hashing, or digital signatures, which act as a digital “fingerprint” to verify that data has not been tampered with.

Transmission Security

This protects ePHI when it is “in motion” over a network, preventing “man-in-the-middle” attacks. The primary control is end-to-end encryption using strong protocols like TLS 1.2 or higher. This must be applied to all websites (HTTPS), APIs, remote VPN connections, and email.

 Protect your workloads with a HIPAA-Compliant Cloud Solution — reliable uptime, secure by design.

Key Security Processes & Management

These are the ongoing, human-driven activities that ensure your technology is used safely and your compliance posture is actively managed.

System Hardening & Configuration Management

This is the process of reducing your “attack surface” by securing systems from their default settings. A strong hardening plan includes:

  1. Using an industry-standard baseline, like CIS Benchmarks.
  2. Enforcing least privilege for all systems and applications.
  3. Disabling all unused services and network ports.
  4. Implementing prompt and regular patch management.
  5. Enforcing strong password, session timeout, and account lockout policies.

Need secure server configurations? Get a HIPAA Hosting Quote

Employee Training & Access Management

Your staff is a key part of your defense, as phishing and social engineering remain the top causes of breaches. Training must be an ongoing process, not a one-time event. A strong program includes:

  • Onboarding: Security training for all new hires before they get system access.
  • Annual Refreshers: Yearly compliance and threat training for all staff.
  • Phishing Simulations: Regular, simulated phishing emails to test and train employees in a real-world scenario.
  • Key Topics: Training must cover phishing, social engineering, vishing, and physical security (e.g., “tailgating”).

Regular Security Risk Assessments

This is the central requirement of the HIPAA Security Rule. The Security Risk Assessment (SRA) is the formal process of identifying where your ePHI lives, what the threats are, and what the likelihood and impact of a breach would be.

  • This is not a “one-and-done” task. The SRA must be conducted at least annually and after any significant change to your IT environment (like a new EMR or moving to the cloud).
  • Documentation is key. Your SRA process and the resulting remediation plan are the first things an auditor will ask to see.

Learn practical steps in How to Conduct a HIPAA Risk Analysis for Small Practices.

Core Technical Safeguards & Best Practices

Beyond the requirements, a modern security program includes advanced practices to defend against threats like ransomware and credential theft.

Encryption (At Rest & In Transit)

Encryption should apply to all ePHI, everywhere.

  • Encryption at Rest: This protects data on hard drives, servers, and backups (e.g., using AES-256). If a laptop is stolen, the data is unreadable.
  • Encryption in Transit: This protects data as it moves, using TLS 1.2+ for web traffic, APIs, and VPNs.
  • Key Management: This also requires a secure process for managing your encryption keys.

Multi-Factor Authentication (MFA)

MFA is one of the most effective controls to prevent unauthorized access. It requires a second “factor” (e.g., a code from a mobile app, a USB key) in addition to a password. MFA should be enforced for all access to ePHI, especially for remote access (VPN), cloud dashboards, and administrative accounts.

Proactive Patch Management

This is a non-negotiable, time-sensitive process. You must have an automated and tracked system to identify, test, and deploy security patches. The highest priority must be given to critical vulnerabilities (CVEs) that are being actively exploited by attackers.

Backups, Incident Response, and Monitoring

This trio forms your “detect and respond” capability.

1. Backup and Disaster Recovery

Backups are your primary defense against ransomware. Your strategy should follow the 3-2-1 rule (3 copies of your data, on 2 different media, with 1 copy off-site). Backups must be encrypted and, ideally, immutable—meaning they cannot be altered or deleted by an attacker. You must test your restore process regularly.

2. Incident Response (IR) Plan

You must have a formal, written plan before a breach occurs. This plan details the phases of response: Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post-Incident Activity. This final phase includes documenting everything for HIPAA breach notification and improving your defenses.

3. 24/7/365 Monitoring

This is the active, real-time version of audit logging. It involves using a SIEM tool, often run by a Security Operations Center (SOC), to correlate all system logs. This allows for real-time alerts on suspicious activity, like impossible logins, large-scale data downloads, or signs of malware.

Preempt threats with HIPAA Penetration Testing

Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

HIPAA IT Security Checklist

  • Encrypt all ePHI in transit and at rest
  • Conduct quarterly risk assessments and track remediation
  • Enforce MFA for all privileged access
  • Review access logs/audit trails at least monthly
  • Maintain immutable, encrypted backups
  • Implement RBAC and least privilege
  • Perform annual penetration testing
  • Keep policies current & accessible
  • Train staff on phishing & PHI handling
  • Partner with HIPAA-compliant hosting & cloud providers

Downloadable: The Ultimate HIPAA Compliance Checklist

Partnering for Compliance Success

HIPAA Vault delivers secure hosting, compliant email, and managed cloud tailored for healthcare.

Contact Us — Trusted by hospitals, clinics, and medical SaaS providers.

Frequently Asked Questions (FAQ)

HIPAA IT security isn’t a one-time task. With proactive controls, continual assessments, and a trusted partner like HIPAA Vault, you can stay secure and compliant while focusing on patient care.