HIPAA compliance is one of the most consequential regulatory obligations facing healthcare IT teams in the United States. While the regulation is sometimes reduced to a checklist exercise, its core requirements — particularly those in the Security Rule — demand a substantive programme of technical controls, documentation, workforce management, and ongoing risk management. This guide focuses on what healthcare IT teams actually need to implement and demonstrate.
What the HIPAA Security Rule Requires
The HIPAA Security Rule, codified at 45 CFR Part 164, establishes requirements for protecting electronic protected health information (ePHI) — any health information that is created, maintained, or transmitted in electronic form and can be linked to a specific individual.
The rule applies to covered entities (health plans, healthcare providers that conduct electronic transactions, and healthcare clearinghouses) and their business associates. It establishes three categories of safeguards: administrative, physical, and technical.
A critical distinction in the regulation is between required and addressable specifications. Required specifications must be implemented. Addressable specifications must either be implemented or, if an organisation determines that a specification is not reasonable and appropriate given its environment, the organisation must document why and implement an equivalent alternative. Addressable does not mean optional.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and processes that govern how ePHI is managed. They are the largest category in the Security Rule and arguably the most important, because technical controls cannot substitute for organisational discipline.
Risk analysis is the cornerstone of the administrative safeguards and the most scrutinised item in OCR (Office for Civil Rights) investigations. Organisations must conduct a thorough, accurate, and organisation-wide assessment of the risks and vulnerabilities to ePHI. This means identifying all systems that store, process, or transmit ePHI; identifying threats and vulnerabilities for each; assessing the likelihood and impact of those threats; and determining the current level of risk.
Risk management requires implementing measures to reduce identified risks to an appropriate level, and maintaining an ongoing programme to monitor and address new risks over time.
Workforce training requires that all workforce members who work with ePHI receive security awareness training. This includes recognising phishing, handling sensitive information appropriately, understanding their obligations under HIPAA, and knowing how to report suspected incidents.
Access management requires policies covering who is authorised to access ePHI, how access is provisioned and reviewed, and how access is terminated when an employee leaves or changes roles.
Physical Safeguards
Physical safeguards address the physical protection of systems that hold ePHI. Requirements include facility access controls (limiting who can enter data centres and server rooms), workstation use policies (defining appropriate use of workstations that access ePHI), workstation security (positioning screens away from unauthorised viewers, locking screens on inactivity), and device and media controls covering how hardware is disposed of and how ePHI is handled when equipment is retired or repurposed.
Technical Safeguards
Technical safeguards are the controls implemented in systems and infrastructure to protect ePHI.
Access Controls
Systems must implement technical mechanisms that allow only authorised users to access ePHI. This includes unique user identification (no shared accounts), emergency access procedures, automatic session logoff, and, as an addressable specification, encryption and decryption.
Audit Controls
Organisations must implement hardware, software, and procedural mechanisms to record and examine activity on systems that contain or use ePHI. This means maintaining detailed audit logs of who accessed what records and when, log retention appropriate to the risk environment, and regular review of audit logs for anomalous activity.
In practice, this requires a centralised logging solution (typically a SIEM) that aggregates logs from EHR systems, file servers, email systems, and network infrastructure, with defined retention periods and alerting for suspicious patterns.
Integrity Controls
Technical mechanisms must be in place to ensure that ePHI is not improperly altered or destroyed. This includes file integrity monitoring, checksums or digital signatures for transmitted data, and backup procedures that allow detection of corruption.
Transmission Security
ePHI transmitted over networks must be protected against unauthorised access. Encryption in transit — typically TLS 1.2 or higher — is the standard implementation, as an addressable specification.
Encryption Requirements
Encryption is addressable rather than required under HIPAA, but this framing is misleading for most modern healthcare organisations. Unencrypted ePHI on portable devices and laptops is the single most common source of HIPAA breach reports involving physical media. OCR's guidance is clear that encryption is the most effective safeguard for data on portable devices.
Practically, organisations should encrypt ePHI at rest on all workstations, laptops, mobile devices, and portable storage using AES-256 or equivalent. ePHI in transit must be encrypted with TLS. Database-level encryption should be applied to databases holding ePHI. Encryption keys must be managed separately from the data they protect, with documented key management procedures.
Business Associate Agreements
Any vendor, contractor, or service provider that creates, receives, maintains, or transmits ePHI on behalf of a covered entity is a business associate and must sign a Business Associate Agreement (BAA). Cloud providers, EHR vendors, IT managed service providers, billing companies, and many other third parties fall into this category.
A BAA must specify the permitted uses of ePHI, require the business associate to implement appropriate safeguards, require breach notification to the covered entity, and address how ePHI will be handled at the end of the relationship.
Maintaining an inventory of all business associates and ensuring current BAAs are in place for each is an ongoing compliance obligation, not a one-time exercise. Acquisitions, new vendor relationships, and changes to existing vendor scope all trigger BAA requirements.
Common OCR Audit Findings
OCR's audit programme and enforcement actions consistently identify the same deficiencies:
- Incomplete risk analysis — Scope limited to specific systems rather than the full ePHI environment, or not updated since an initial assessment.
- No risk management plan — Risk analysis completed but not followed by documented, prioritised remediation.
- Insufficient access controls — Shared accounts, failure to revoke access for terminated employees, excessive access privileges.
- Inadequate audit logging — No centralised log management, logs not reviewed, insufficient retention.
- Missing or inadequate BAAs — Third-party relationships not identified, BAAs out of date or missing required provisions.
- Inadequate workforce training — Training not documented, content insufficient, or frequency inadequate.
Penalties
HIPAA civil monetary penalties are tiered by culpability. At the lowest tier, violations where the covered entity was unaware can result in penalties of $100 to $50,000 per violation category per year. At the highest tier, wilful neglect not corrected within 30 days can result in $50,000 per violation category per year with a minimum of $10,000. OCR has imposed multi-million-dollar settlements for significant breaches — particularly where risk analysis failures are identified.
State attorneys general can also bring enforcement actions under HIPAA, and some states impose additional requirements under state privacy laws that apply independently of HIPAA.
FZ Consulting LLP provides HIPAA compliance assessments, risk analysis, and remediation support for healthcare organisations and their technology vendors. Speak to our team about building a compliance programme that meets both regulatory requirements and your operational environment.