HIPAA Security Rule
What it is
U.S. federal regulation (45 CFR Part 164) requiring covered entities and business associates to safeguard electronic protected health information (ePHI) through administrative, physical, and technical safeguards.
Who uses it
Hospitals, payers, health-tech SaaS handling ePHI, and any vendor that processes ePHI under a Business Associate Agreement (BAA).
Why it matters
Fines reach into the millions. HHS OCR publishes enforcement actions monthly. HIPAA is the dominant framework for U.S. healthcare GRC.
Structure
Risk analysis, workforce training, sanction policies, contingency plans — the management layer.
Facility access controls, workstation security, device and media controls.
Access control, audit controls, integrity, transmission security, encryption (addressable).
'Required' must be implemented; 'Addressable' must be implemented OR a documented justification provided.
Terminology
Beginner explanation
HIPAA Security Rule is about protecting health data in electronic form. It is principles-based — there is no checklist of 'these 50 controls' — so risk analysis is the centerpiece.
Practical examples
- A telehealth startup signs a BAA with AWS, encrypts ePHI at rest with KMS, and trains staff annually.
- A clinic's lost laptop containing unencrypted ePHI triggers breach notification because encryption was 'addressable' and not implemented or justified.
Advanced notes
HIPAA Security Rule, Privacy Rule, and Breach Notification Rule are separate but interlocking. HITECH expanded enforcement and breach notification requirements.