HIPAA Safeguards Explained: Administrative, Physical, and Technical Requirements

The HIPAA Security Rule defines three categories of safeguards for electronic protected health information (ePHI): administrative safeguards at 45 CFR § 164.308, physical safeguards at § 164.310, and technical safeguards at § 164.312. Administrative safeguards cover risk analysis, workforce management, training, and contingency planning. Physical safeguards cover facilities, workstations, and media. Technical safeguards cover access control, audit logging, integrity, authentication, and transmission security. Every covered entity and business associate must address all three, scaled to its size and risk under the flexibility provision at § 164.306(b).

TL;DR: Quick answer

• The three safeguard categories sit in 45 CFR § 164.308 (administrative), § 164.310 (physical), and § 164.312 (technical), and they bind covered entities and business associates alike.
• Each standard contains implementation specifications labeled "required" or "addressable"; addressable does not mean optional under § 164.306(d), it means implement it or document why an equivalent alternative is reasonable.
• The missing or outdated risk analysis required by § 164.308(a)(1)(ii)(A) is among the most commonly cited gaps in HHS OCR enforcement actions.
• All Security Rule documentation, including policies and the risk analysis, must be retained for 6 years under § 164.316(b)(2)(i).
• A Security Rule update proposed in the Federal Register on January 6, 2025 would make most addressable specifications mandatory; it remains a proposal, not law, as of June 2026.

What are the administrative safeguards in 45 CFR § 164.308?

Administrative safeguards are the management layer: the policies, people, and processes that run a security program. The standards, with their key implementation specifications:

• Security management process, § 164.308(a)(1). Includes risk analysis (required), risk management (required), a sanction policy (required), and information system activity review (required). The risk analysis is the foundation document; OCR asks for it first in nearly every investigation, and an absent or generic one undermines everything built on top of it.
• Assigned security responsibility, § 164.308(a)(2). One identified security official, by name, not a committee.
• Workforce security, § 164.308(a)(3). Authorization, clearance, and termination procedures (all addressable). Terminated-employee accounts that stay active are a classic finding; see our roundup of unintentional HIPAA violations.
• Information access management, § 164.308(a)(4). Granting access on a minimum necessary basis.
• Security awareness and training, § 164.308(a)(5). Reminders, malware protection, login monitoring, and password management (all addressable, all expected in practice).
• Security incident procedures, § 164.308(a)(6). Response and reporting (required).
• Contingency plan, § 164.308(a)(7). Data backup plan, disaster recovery plan, and emergency mode operation plan are all required; testing and applications-criticality analysis are addressable.
• Evaluation, § 164.308(a)(8). Periodic technical and nontechnical review.
• Business associate contracts, § 164.308(b). A written BAA, with the content requirements at § 164.504(e), before any vendor handles ePHI.

What are the physical safeguards in 45 CFR § 164.310?

Physical safeguards protect the places and hardware where ePHI lives:

• Facility access controls, § 164.310(a). Contingency operations, a facility security plan, access control and validation, and maintenance records (all addressable). For cloud-hosted ePHI, these are largely inherited from the data center operator; AWS, for example, covers physical security under its shared responsibility model while the customer keeps everything above the hypervisor.
• Workstation use and workstation security, § 164.310(b) and (c). Policies for how and where ePHI-touching machines are used and physically protected.
• Device and media controls, § 164.310(d). Disposal and media re-use are required; accountability and data backup before movement are addressable. Decommissioned drives and copiers with intact storage have produced real OCR settlements.

What are the technical safeguards in 45 CFR § 164.312?

Technical safeguards are the controls implemented in software and hardware:

• Access control, § 164.312(a)(1). Unique user identification, § 164.312(a)(2)(i), is required. Emergency access procedure, (a)(2)(ii), is required. Automatic logoff, (a)(2)(iii), is addressable. See HIPAA automatic logoff for the timeout details. Encryption and decryption at rest, (a)(2)(iv), is addressable.
• Audit controls, § 164.312(b). Required. Mechanisms that record and allow examination of activity in systems containing ePHI.
• Integrity, § 164.312(c). Mechanisms to detect improper alteration or destruction (addressable).
• Person or entity authentication, § 164.312(d). Required. Verify that the person seeking access is who they claim.
• Transmission security, § 164.312(e)(1). Integrity controls, (e)(2)(i), and encryption in transit, (e)(2)(ii), are both addressable.

What does "addressable" actually mean under § 164.306(d)?

Addressable is the most misread word in the Security Rule. Under 45 CFR § 164.306(d), an addressable specification must be implemented if reasonable and appropriate. If not, the organization must document why, and implement an equivalent alternative where reasonable. Skipping encryption with no documented analysis satisfies neither path. In practice, encryption at rest and in transit is treated as a baseline because it is cheap, available, and the strongest defense in a breach: properly encrypted data that is lost generally does not trigger notification under §§ 164.400-414 because it is not "unsecured" PHI.

One forward-looking note: the Security Rule update proposed December 27, 2024 and published in the Federal Register on January 6, 2025 would remove the required versus addressable distinction and mandate encryption, MFA, and asset inventories outright. Comments closed March 7, 2025 with roughly 4,745 submissions. As of June 2026 no final rule has issued, so treat those changes as proposed and subject to change.

How does each safeguard map to a hosting control?

For organizations whose ePHI lives on web infrastructure, here is the translation we apply when building environments:

The full technical detail sits in our companion piece on HIPAA hosting security measures, and our explainer on what compliant hosting services actually include.

How do the Privacy Rule and documentation requirements fit in?

The Security Rule governs how ePHI is protected. The separate Privacy Rule governs who may use and disclose PHI and grants patients rights such as access to their records. The Breach Notification Rule, 45 CFR §§ 164.400-414, requires notice to individuals within 60 days of discovering a breach of unsecured PHI (§ 164.404) and notice to HHS on a schedule that depends on whether 500 or more people are affected (§ 164.408). Underpinning all of it, § 164.316(b)(2)(i) requires policies, procedures, and required documentation to be kept for 6 years from creation or last effective date. Failures in any layer feed the civil penalty tiers, which for 2026 run from $145 to $2,190,294 per violation.

Frequently asked questions

What are the three HIPAA safeguards?

Administrative safeguards (45 CFR § 164.308), physical safeguards (§ 164.310), and technical safeguards (§ 164.312), all part of the HIPAA Security Rule and all applicable to covered entities and business associates.

Is encryption required under HIPAA?

Encryption at rest (§ 164.312(a)(2)(iv)) and in transit (§ 164.312(e)(2)(ii)) are addressable specifications. Under § 164.306(d) you must implement them where reasonable or document an equivalent alternative; in practice nearly every risk analysis concludes encryption is reasonable.

What is the difference between required and addressable specifications?

Required specifications must be implemented as written. Addressable specifications must be implemented if reasonable and appropriate; otherwise the organization documents why and adopts an equivalent measure. Neither label permits silently skipping a control.

Do business associates have to meet all three safeguard categories?

Yes. Since the 2013 Omnibus Rule, business associates are directly liable for Security Rule compliance, including hosting providers, software vendors, and agencies that handle ePHI.

How long must HIPAA security documentation be kept?

Six years from creation or the date it was last in effect, under 45 CFR § 164.316(b)(2)(i). That includes the risk analysis, policies, and records of addressable-specification decisions.

Where to go from here

Start with the risk analysis, then work each safeguard category against your actual infrastructure. For the infrastructure half of that work, see our complete guide to HIPAA-compliant hosting. If you would rather have the technical safeguards configured and maintained for you under a BAA, that is what our managed HIPAA cloud hosting does; managed HIPAA hosting is our business, so weigh the recommendation accordingly.

This article is general information, not legal advice. Consult qualified counsel and base your safeguards on a documented risk analysis specific to your organization. Reviewed June 2026.

Sources

• 45 CFR § 164.308, Administrative safeguards (eCFR)
• 45 CFR § 164.310, Physical safeguards (eCFR)
• 45 CFR § 164.312, Technical safeguards (eCFR)
• 45 CFR § 164.306, Security standards: general rules (eCFR)
• HHS: The Security Rule
• Federal Register: HIPAA Security Rule NPRM (Jan. 6, 2025)