HIPAA Security Rule
Last reviewed · By Chad Griffith
The HIPAA Security Rule at 45 CFR Part 164 Subpart C establishes national standards for protecting electronic Protected Health Information (ePHI). The Rule applies to covered entities and business associates and requires three categories of safeguards: administrative (164.308), physical (164.310), and technical (164.312). Safeguards are categorized as 'required' (must be implemented as specified) or 'addressable' (must be implemented if reasonable and appropriate, with documented analysis if not implemented or alternative safeguard implemented). The Security Rule's foundational requirement is the Security Risk Analysis at 164.308(a)(1)(ii)(A) which drives the implementation of every other safeguard.
Frequently Asked Questions
What are the three Security Rule safeguard categories?
(1) Administrative safeguards (164.308) — workforce security, security training, contingency planning, security incident procedures, evaluation; (2) Physical safeguards (164.310) — facility access controls, workstation security, device and media controls; (3) Technical safeguards (164.312) — access control, audit controls, integrity, person/entity authentication, transmission security. Each category contains required and addressable specifications. The risk analysis determines which addressable specifications must be implemented.
What is the difference between 'required' and 'addressable'?
Required specifications must be implemented exactly as specified. Addressable specifications must be evaluated by the entity through risk analysis: (a) implement the safeguard as specified, OR (b) implement an equivalent measure that is more appropriate and document why, OR (c) document why no safeguard is reasonable in the entity's environment. Addressable does not mean optional — it means the implementation method is flexible based on risk analysis. Failure to address an addressable specification is a Security Rule violation.
Is encryption required under HIPAA?
Encryption is an addressable specification under 164.312(a)(2)(iv) (transmission of ePHI) and 164.312(e)(2)(ii) (transmission). The risk analysis determines whether encryption is reasonable and appropriate. In modern environments, virtually all transmissions and most storage scenarios have risks that make encryption reasonable. OCR has cited entities that failed to implement encryption without documenting an adequate alternative. Encryption also provides 'safe harbor' under the Breach Notification Rule — encrypted ePHI lost or stolen does not trigger breach notification if the encryption met HHS-specified standards.
How long must HIPAA Security Rule documentation be retained?
Per 45 CFR 164.530(j), HIPAA documentation must be retained for at least 6 years from the date of creation OR the date when the documentation was last in effect, whichever is later. This includes: written policies and procedures, risk analysis and risk management plan documentation, security incident records, training records, business associate agreements, and breach risk assessments. The 6-year retention applies even after the CE/BA goes out of business — successor entities or designated record custodians must maintain the records.
Authoritative sources
Related terms
FileFlo classifies and tracks compliance documents against rule packs that map directly to the regulators referenced above. Run a free CFR-cited audit →