The HIPAA rule establishing national standards for protecting electronic protected health information (ePHI) through administrative, physical, and technical safeguards.
The HIPAA Security Rule, formally the Security Standards for the Protection of Electronic Protected Health Information, was published in 2003 and took effect in 2005. It applies specifically to electronic protected health information (ePHI), unlike the Privacy Rule which covers all forms of PHI. The Security Rule requires covered entities and business associates to ensure the confidentiality (ePHI is not available to unauthorized persons), integrity (ePHI is not altered or destroyed without authorization), and availability (ePHI is accessible and usable when needed by authorized persons) of all ePHI they create, receive, maintain, or transmit.
The Security Rule is organized around three categories of safeguards. Administrative safeguards include risk analysis, risk management, workforce training, access management, and security incident procedures. Physical safeguards address facility access controls, workstation use and security, and device and media controls. Technical safeguards cover access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Each safeguard category contains standards, and each standard has implementation specifications that are classified as either required (must be implemented) or addressable (must be assessed and either implemented or replaced with an equivalent alternative). The Security Rule is intentionally technology-neutral and scalable, allowing organizations of different sizes to implement appropriate solutions.
The Security Rule continues to evolve to address the modern threat landscape. Proposed 2025 updates include making encryption mandatory (rather than addressable), requiring multi-factor authentication, mandating annual security risk analyses, requiring vulnerability scanning and penetration testing, and establishing stricter requirements for network segmentation and asset inventory. These changes reflect the significant increase in healthcare data breaches and the growing sophistication of cyber threats targeting the healthcare sector. Organizations should proactively adopt these enhanced security measures even before they become mandatory, as they represent widely recognized best practices for protecting sensitive health information.