The HIPAA Security Rule Explained
The HIPAA Security Rule sets the standards for protecting electronic protected health information (ePHI). Here's a plain-language breakdown of its three safeguard categories and what compliance actually requires.
What is the HIPAA Security Rule?
The Security Rule is the part of HIPAA that protects electronic PHI (ePHI). Where the Privacy Rule covers all PHI, the Security Rule focuses on the confidentiality, integrity, and availability of ePHI through three categories of required safeguards.
Administrative safeguards
The largest category — the policies and processes that manage security. These include your risk analysis and risk management program, workforce training and sanctions, access management, and contingency planning.
Physical safeguards
Controls that protect the physical systems and facilities holding ePHI: facility access controls, workstation use and security, and device and media controls (including secure disposal and reuse).
Technical safeguards
The technology controls that protect ePHI and control access to it: access control and unique user IDs, audit controls, integrity controls, and transmission security such as encryption.
See where you stand on every safeguard
Wardably's guided HIPAA Risk Assessment walks you through the Administrative, Physical, and Technical safeguards and scores your readiness — no security background required.
Assess your safeguards freeFrequently asked questions
Related HIPAA guides
- HIPAA Risk Assessment: A Step-by-Step Guide
- HIPAA Compliance Checklist for 2026
- HIPAA Policies and Procedures: Which Ones You Need
This guide is for general educational purposes and is not legal advice. Consult a qualified professional for guidance specific to your organization.