HIPAA Safeguards Explained: Administrative, Physical, and Technical
HIPAA protects health information through three sets of safeguards in the Security Rule: administrative, physical, and technical. The administrative safeguards cover policies, training, and risk analysis. The physical safeguards cover facilities and devices. The technical safeguards cover encryption, access controls, and audit logs. The separate Privacy Rule governs how PHI may be used and disclosed.
TL;DR: Quick answer
- The HIPAA Security Rule defines three safeguard categories: administrative, physical, and technical.
- Administrative safeguards cover policies, workforce training, and risk analysis.
- Physical safeguards cover facility access and device controls; technical safeguards cover encryption, access, and audit logs.
- The separate Privacy Rule governs permitted uses and disclosures of protected health information.
What are the three HIPAA safeguards?
The Security Rule applies to electronic protected health information (ePHI) and organizes protection into three categories. Every covered entity and business associate must address all three, scaled to its size and risk.
Administrative safeguards
These are the policies and processes that run a compliance program. They include a documented risk analysis, a risk management plan, workforce security and training, access management, and a contingency plan for emergencies. The risk analysis is the foundation, and it is one of the most common items missing in enforcement findings.
Physical safeguards
These protect the physical environment where ePHI lives. They include facility access controls, workstation security, and device and media controls that govern how hardware is used, moved, reused, and disposed of.
Technical safeguards
These are the technology controls that protect data directly. They include access controls and unique user IDs, audit logging, integrity controls, automatic logoff, and encryption of data in transit and at rest. Encryption is addressable rather than strictly mandatory, but in practice it is expected wherever it is reasonable.
How is the Privacy Rule different from the Security Rule?
The Security Rule governs how ePHI is protected technically and operationally. The Privacy Rule governs who may use or disclose PHI and under what circumstances, including patient rights such as the right to access their own records. The two rules work together, and the Breach Notification Rule sits alongside them, requiring notice when unsecured PHI is exposed.
Who has to meet these safeguards?
- Covered entities: healthcare providers, health plans, and clearinghouses.
- Business associates: vendors that handle PHI on their behalf, including hosting providers and software vendors.
Frequently asked questions
What are the three HIPAA safeguards?
Administrative, physical, and technical safeguards, all defined in the HIPAA Security Rule.
What is the difference between the Privacy Rule and the Security Rule?
The Privacy Rule governs uses and disclosures of PHI. The Security Rule governs how electronic PHI is protected through safeguards.
Is encryption required under HIPAA?
Encryption is an addressable specification, meaning you must implement it where reasonable or document why an equivalent measure is used instead. In practice it is expected for data in transit and at rest.
Where to go from here
To see how these safeguards translate into infrastructure, read our complete guide to HIPAA-compliant hosting.
This guide is general information, not legal advice. Refer to the HHS Security and Privacy Rules and qualified counsel for your specific obligations.
Sources
- HHS: The Security Rule
- HHS: The Privacy Rule