What is the HIPAA Security Rule? | Introduction and Overview

4. What is the HIPAA Security Rule?

Answer: The HIPAA Security Rule, as defined by the United States Department of Health and Human Services (hhs.gov) is federal legislation that “…establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

From a scope perspective, the HIPAA Security Rule consists of the following areas:

  • 164.308: Administrative Safeguards
  • 164.310: Physical Safeguards
  • 164.312: Technical Safeguards
  • 164.314: Organizational Requirements
  • 164.316: Policies and Procedures and Documentation Requirements


HIPAA Policies and Procedures | Essential for Complying with the Security Rule
For the HIPAA Security Rule, subparts 164.308 – 164.312, the “safeguards” contain a laundry list of “standards” and “implementation specifications” that need to be addressed by Covered Entities and Business Associates for ultimately ensuring compliance with the Health Insurance Portability and Accountability Act of 1996. More specifically, look upon these “safeguards” and “implementation specifications” as best practices for information security 101 – policies, procedures, and processes that should be in place for ensuring the safety and security of Protected Health Information, commonly known as PHI.

And what’s interesting to note about the HIPAA Security Rule “safeguards” and other mandates is the need for putting in place comprehensive HIPAA policies and procedures – documentation that speaks to the numerous information security and operational initiatives that healthcare companies are to adhere to. Easier said than done as developing such documentation can be incredibly difficult, complex, and challenging, especially for Covered Entities and Business Associates who are already challenged like never before.

HIPAA Security Rule | A Mandate for Covered Entities and Business Associates
Some of the major initiative of the HIPAA Security Rule in undertaking an annual risk analysis (i.e., risk assessment process), putting place comprehensive security awareness and training for all workforce members, access control provisions for anyone accessing Protected Health Information, along with many other core information security 101 best practices. It can be a challenging task, no question about it, one that can be greatly alleviated by having a high-quality set of HIPAA policies and procedures to work with.

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.

If your organization is in need of a HIPAA audit, and or SSAE 16 SOC 1, and SOC 2 assessments that include testing of HIPAA provisions & mandates, please contact Charles Denyer at This email address is being protected from spambots. You need JavaScript enabled to view it., or at 1-800-277-5415, ext. 705 with the NDB Alliance of Firms. Learn more about NDB by visiting ndbcpa.com today.