U.S. regulation
HIPAA Security Rule
U.S. regulation

HIPAA Security Rule

All frameworks

What it is

U.S. federal regulation (45 CFR Part 164) requiring covered entities and business associates to safeguard electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

Who uses it

Hospitals, payers, health-tech SaaS handling ePHI, and any vendor that processes ePHI under a Business Associate Agreement (BAA).

Why it matters

Fines reach into the millions. HHS OCR publishes enforcement actions monthly. HIPAA is the dominant framework for U.S. healthcare GRC.

Structure

Administrative Safeguards

Risk analysis, workforce training, sanction policies, contingency plans — the management layer.

Physical Safeguards

Facility access controls, workstation security, device and media controls.

Technical Safeguards

Access control, audit controls, integrity, transmission security, encryption (addressable).

Required vs Addressable

'Required' must be implemented; 'Addressable' must be implemented OR a documented justification provided.

Terminology

ePHI
Electronic Protected Health Information — any individually identifiable health info in electronic form.
BAA
Business Associate Agreement — contract between a covered entity and a vendor handling ePHI.
Breach
Unauthorized access/disclosure of unsecured ePHI — triggers HHS notification within 60 days.
Minimum Necessary
Principle requiring use/disclosure of the minimum ePHI needed for the purpose.

Beginner explanation

HIPAA Security Rule is about protecting health data in electronic form. It is principles-based — there is no checklist of 'these 50 controls' — so risk analysis is the centerpiece.

Practical examples

  • A telehealth startup signs a BAA with AWS, encrypts ePHI at rest with KMS, and trains staff annually.
  • A clinic's lost laptop containing unencrypted ePHI triggers breach notification because encryption was 'addressable' and not implemented or justified.

Advanced notes

HIPAA Security Rule, Privacy Rule, and Breach Notification Rule are separate but interlocking. HITECH expanded enforcement and breach notification requirements.