The HIPAA Security Rule Explained

The HIPAA Security Rule sets the standards for protecting electronic protected health information (ePHI). Here's a plain-language breakdown of its three safeguard categories and what compliance actually requires.

What is the HIPAA Security Rule?

The Security Rule is the part of HIPAA that protects electronic PHI (ePHI). Where the Privacy Rule covers all PHI, the Security Rule focuses on the confidentiality, integrity, and availability of ePHI through three categories of required safeguards.

Administrative safeguards

The largest category — the policies and processes that manage security. These include your risk analysis and risk management program, workforce training and sanctions, access management, and contingency planning.

Physical safeguards

Controls that protect the physical systems and facilities holding ePHI: facility access controls, workstation use and security, and device and media controls (including secure disposal and reuse).

Technical safeguards

The technology controls that protect ePHI and control access to it: access control and unique user IDs, audit controls, integrity controls, and transmission security such as encryption.

See where you stand on every safeguard

Wardably's guided HIPAA Risk Assessment walks you through the Administrative, Physical, and Technical safeguards and scores your readiness — no security background required.

Assess your safeguards free

Frequently asked questions

Administrative safeguards (policies, training, risk management), Physical safeguards (facility and device controls), and Technical safeguards (access control, audit logs, encryption).

The Privacy Rule governs how all PHI may be used and disclosed; the Security Rule protects electronic PHI specifically, through administrative, physical, and technical safeguards.

Related HIPAA guides

This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.