Skip to main content

Stratis Health Twitter Stratis Health LinkedIn Stratis Health YouTube
Lock, keyboard and mouse

Section Links

HIPAA Security Rule


“'The guidelines underscore a higher goal of the HIPAA Security Rule: helping organizations maintain their data’s confidentiality, integrity, and accessibility. Understanding the guidelines and their greater goal can help organizations implement best practices to better protect their ePHI.”

quote bubble - Mahmood Sher-Jan
VP, Product Management, IDExperts

The HIPAA Security Rule went into effect in April 2005 and was the first attempt at a nationwide security standard for the protection of electronic protected health information (ePHI). The main goal of the HIPAA Security Rule is to implement the proper safeguards to protect the confidentiality, integrity, and accessibility (CIA) of ePHI. The second goal is to protect patient information while allowing the health care industry to expand and utilize technology to advance care delivery.

There are 4 distinct parts to the Security Rule:

  1. Administrative Safeguards are administrative actions, including the establishment of policies and procedures, to manage the activities needed to establish security measures that protect ePHI.
  2. Physical Safeguards are physical measures, including policies and procedures, to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
  3. Technical Safeguards are the technology, including policies and procedures for its use, that protect ePHI and control access to it.
  4. Organizational Safeguards are arrangements made between organizations to protect ePHI, including Business Associate Agreements.

Each of the requirements under the Security Rule is divided into two categories of standards: required and addressable. The Required standards are mandated and an organization must comply and implement proper protocols to meet the requirement. Addressable standards may be implemented if the organization feels the standards are appropriate. If an organization determines that an addressable standard is not pertinent, the organization must document why the determination was made and implement another security measure that is comparable to the standard.

The HIPAA Security Rule was created to have scalability on implementation since every organization is configured differently. How organizations implement the security measures is dependent on the following factors:

  • The organization’s size, complexity, and capabilities;
  • The organization’s technical infrastructure, hardware, and software security capabilities;
  • The costs of security measures;
  • The probability and criticality of potential risks to e-PHI.

This Privacy and Security toolkit has created a specific section for each of the components of the HIPAA Security Rule to help guide and understand the different requirements.

Tools and Resources

Department of Health and Human Services HIPAA Security Rule. U.S. Department of Health and Human Services. (2-minute video)

This Privacy & Security portal was originally developed by the Regional Extension Center for Minnesota and North Dakota. REACH, co-led by Stratis Health, was federally funded through the Office of the National Coordinator, Department of Health and Human Services.