HIPAA Security Rule: Safeguarding Electronic Health Data

Written By

Namrata Sengupta linkdin

Published On

Sep 26, 2025

What is the HIPAA Security Rule?

The Security Rule, 45 CFR Part 160 and Part 164, Subparts A and C; is a U.S. federal regulation established under HIPAA. While the HIPAA Privacy Rule governs PHI in all forms, written, oral, and electronic; the Security Rule applies specifically to ePHI. It helps protect ePHI from unauthorized access, threats, and breaches. Further, the rule requires the implementation of administrative, physical, and technical safeguards for all covered entities for this purpose.

The HIPAA Security Rule is essential, and applies exclusively to covered entities and their business associates who handle ePHI. This rule also takes into account the varying differences between such entities, like their size, availability of resources, etc.

Who Must Comply with the HIPAA Security Rule?

All covered entities managing ePHI, along with their business associates who handle it on their behalf, must adhere to the HIPAA Security Rule. They are:

Entity Type	Inclusive of
Health Plans	Health insurance companies, HMOs, employer-sponsored plans, and government healthcare payment plans.
Healthcare Clearing Houses	Entities that transform nonstandard health information into necessary standards.
Healthcare Providers	Physicians, dentists, psychologists, chiropractors, clinics, nursing homes, pharmacies, hospitals, urgent care centers.
Business Associates	Third parties who handle ePHI for them, as stated in 45 CFR, Section 164.308(b)(1).

HIPAA Security Rule Requirements

The Security Rule requires all covered entities and business associates to implement three types of safeguards - administrative, physical, and technical. These safeguards are mentioned in Section 164.308, Section 164.310, and Section 164.312 under Title 45 of the Code of Federal Regulations. These are:

Administrative Safeguards (45 CFR § 164.308)

Risk Assessment: As per section 164.308(a)(1), all covered entities must evaluate the risks to the ePHI. They should review data access records for security measures and modify as needed. A thorough risk analysis must be performed. Measures and ways to prevent these risks or keep them under control must be implemented.
Designating a Security Official: As mentioned in section 164.308(a)(2), each covered entity must employ an individual from its workforce to oversee the security of ePHI. The person is required to develop and enforce the internal policies and procedures to protect ePHI. This individual is also responsible for maintaining and monitoring the appropriate safeguards identified through the risk assessment process.
Workforce Management and Training: According to Section 164.308(a)(3), all covered entities must develop their policies and procedures in such a way that the employees have appropriate access, control, supervision, and authorization to work with ePHI. As per Section 164.308(a)(5), they must also train their employees on these security policies and procedures.
Usage and Disclosure: The “minimum necessary” standard is officially a part of the Privacy Rule (45 CFR Section 164.502(b)), but its application extends to the Security Rule. Thus, it requires all the regulated entities to limit the usage and disclosure of ePHI. It ensures that ePHI is used and disclosed only when it’s appropriate for the user.
Security Incident Procedures: As stated in Section 164.308 (a)(6), all security incidents must be addressed by implementing the policies and procedures. Entities are required to identify and respond to incidents, mitigate any harmful effects, and document both the incidents and their outcomes.
Periodic Evaluation: All covered entities must periodically assess how effective their policies and procedures are through regular technical and non-technical assessments. The evaluation must be done as per Section 164.308(a)(8). To demonstrate its compliance with the Security Rule, entities must also document these assessments.
Contingency Plan: In case of emergencies that harm the ePHI systems, all covered entities must implement their contingency plan in accordance with Section 164.308(a)(7). This plan must include ePHI backup plans, lost data restoration plans, and continuing critical business operations to safeguard ePHI even in emergency mode.
Business Associate Agreements: As per Section 164.308 (b)(1), each covered entity must have a written contract in place with its business associates, also known as business associate agreements. Only when this agreement is signed can business associates create, maintain, transmit, or receive ePHI.

Physical Safeguards (45 CFR § 164.310)

Facility Security: Each covered entity must restrict the use of and access to its electronic information systems in accordance with Section 164.310(a)(1). They must also curb access to the facilities that contain these systems. This includes developing facility security plans, managing contingency operations, and establishing clear access control procedures. Records of facility maintenance, repairs, and modifications should also be maintained to ensure the protection of critical systems
Workstation Security: As per Section 164.310(b) and (c), all entities are required to create policies and procedures that specify the proper way of using the ePHI storing workstations. They are also required to use physical safeguards like surveillance cameras, using privacy-filtered monitors, etc., for these workstations
Device and Media Controls: As specified in Section 164.310(d), the regulated entities must establish clear policies and procedures for handling media and hardware storing ePHI. They must control where and how these storage devices are bought, moved, and removed. The Security Rule mandates the implementation of procedures by covered entities for the removal of ePHI from such media and devices before putting them up for re-use. For this, the regulated entities may use data erasure tools like BitRaser to ensure data has been securely wiped, etc.

Technical Safeguards (45 CFR § 164.312)

Access Controls: As mentioned in Section 164.312(a), each covered entity must develop and implement technical policies and procedures to ensure authorized access to the electronic information systems containing ePHI, and to curtail misuse.
Audit Controls: As mentioned in Section 164.312(b), each covered entity must keep an eye on activities in information systems that store ePHI. They must monitor and log these activities by deploying the right software, hardware, and mechanisms.
ePHI Security: All covered entities must ensure that the integrity controls and confidentiality of the ePHI are maintained and secured in accordance with Section 164.312(c). It must also apply electronic controls to prevent ePHI from alteration or deletion without authorization.
Transmission Security: Section 164.312(e) states that each covered entity must use technical safeguards to secure ePHI when it is being transmitted over networks. This ensures that the ePHI is not wrongly intercepted and prevents alteration or unauthorized access.
Authentication: As per Section 164.312(d), all covered entities are required to verify the identity of the individual accessing the ePHI to prevent unauthorized access. For example, MFA (Multi-factor authentication) can be adopted for system access.

What Happens on Violation of the HIPAA Security Rule?

Privacy is an uncompromisable element when it comes to building individual trust and security. Keeping this in mind, the Security Rule doesn’t take its violations lightly. The HIPAA Security Rule imposes civil money penalties on covered entities that fail to comply with this rule. As per Section 160.404 under Title 45 of the Code of Federal Regulations, there are three bases as specified in this rule, wherein a civil money penalty can be levied:

General Rule: The Secretary will penalize a covered entity or business associate if it is determined that the subject entity has made an administrative simplification provision violation.
Violation by a Covered Entity or Business Associate: As per the Security Rule, if the violation has occurred due to negligence of a covered entity or its workforce, the covered entity will be held liable. In case of a violation occurring because of the actions or negligence of business associate members or by the business associate itself, then the business associate will be held liable.
Multiple-Party Violations: If the Secretary determines that the violation has been committed due to the fault of more than one entity, a civil money penalty will be levied on each of them.

These violations can result in hefty fines as categorized below:

Tier	Basis	Fine per violation	Annual Cap
Tier 1	The covered entity didn't know the violation occurred and could not have avoided the violation even with due care.	$100-$50,000	$1,500,000
Tier 2	The violation occurred due to a valid cause and not willful neglect.	$1,000-$50,000	$1,500,000
Tier 3	The violation is due to willful neglect but is addressed within 30 days.	$10,000 - $50,000	$1,500,000
Tier 4	The violation is due to willful neglect and isn’t corrected within 30 days.	Minimum $50,000	$1,500,000

Conclusion: HIPAA Security Rule is Non-Negotiable

As data in the healthcare industry continues to explode, PHI & ePHI protection has become a necessity. The HIPAA Security Rule assures ePHI safety and upholds the integrity of the healthcare industry. Organizations should regularly review their safeguards, train employees, and conduct independent audits or utilize certified data erasure tools for wiping devices containing ePHI. BitRaser is a professional data wiping software that helps the healthcare sector to permanently wipe sensitive information beyond recovery using NIST & IEEE standards.
Read or download the Healthcare Solution document.

Was this article helpful?