Cyber One Solutions logo.
Get Support

Compliance

A Practical Guide to the HIPAA Security Rule

July 14, 2026 ·

The HIPAA Security Rule sets administrative, physical, and technical safeguards for electronic protected health information. This guide translates it into practical terms for healthcare practices and business associates, explains required versus addressable specifications, and shows why the security risk analysis is the foundation.

A healthcare practice or a vendor that handles patient data on a practice's behalf is expected to protect that data in specific, documented ways. The HIPAA Security Rule is where those expectations are written down. It is codified at 45 CFR Part 160 and Part 164 (Subparts A and C) and enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

The Security Rule governs one thing: electronic protected health information, or ePHI. It sets a framework for keeping that information confidential, available, and unaltered. It does not prescribe a single product or brand of technology. Instead, it describes outcomes and lets each organization decide how to reach them based on its size, complexity, and risk.

This guide translates the rule into practical terms for the people who have to live with it: the covered entity running the practice and the business associate supporting it. The goal is to help you understand what the rule asks for, why the security risk analysis sits at the center of everything, and where a security partner fits without taking on your legal responsibility.

What ePHI Is And Who Is Covered

ePHI is protected health information that is created, received, maintained, or transmitted in electronic form. That includes records in your practice management system, images, lab results, billing files, email that contains patient detail, and backups of any of it.

Two groups fall under the rule. Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with covered transactions. Business associates are the vendors that create, receive, maintain, or transmit ePHI on a covered entity's behalf: IT providers, billing companies, cloud hosts, and similar service firms. Since the HITECH Act, business associates carry direct obligations under the Security Rule, not just contractual ones.

If you are a practice, you are almost certainly a covered entity. If you handle ePHI for one, you are a business associate. Either way, the safeguards below apply to you.

The Three Safeguard Categories

The Security Rule organizes its requirements into three groups.

Administrative safeguards are the policies, procedures, and management actions that govern how your workforce handles ePHI. This is the largest category and includes the risk analysis, assigned security responsibility, workforce clearance and termination procedures, training, and incident response.

Physical safeguards protect the hardware and facilities where ePHI lives. Think facility access controls, workstation use and security policies, and rules for reusing or disposing of devices and media that held patient data.

Technical safeguards are the technology controls that protect ePHI and govern access to it: access controls, audit controls, integrity controls, and transmission security.

No single category stands alone. A strong firewall does little if a former employee's account is never disabled, and a well-written policy does little if no technical control enforces it.

Required Versus Addressable

Within each category, the rule lists implementation specifications, and each one is labeled either required or addressable. This distinction is widely misread, so it is worth stating plainly.

Required means you must implement the specification as written.

Addressable does not mean optional. For an addressable specification, you must assess whether it is reasonable and appropriate for your environment. If it is, you implement it. If it is not, you document why, and you implement an equivalent alternative measure that achieves the same protection. Skipping an addressable item without that analysis and documentation is a common finding in enforcement reviews.

Encryption of ePHI is the clearest example. It is an addressable specification in several places in the rule. In most modern environments, encryption of data at rest and in transit is both reasonable and appropriate, so the practical answer is usually to encrypt and record that decision.

The Security Risk Analysis Is The Foundation

Every other control depends on the security risk analysis. It is a required administrative safeguard, and it is the first thing OCR looks for. The risk analysis is an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI your organization holds.

In practical terms, you inventory where ePHI is created, stored, transmitted, and received, identify the threats and vulnerabilities to each location, evaluate current controls, and rate the likelihood and impact of each risk. That analysis then drives risk management: the concrete steps you take to reduce risks to a reasonable level.

The reason the risk analysis comes first is structural. You cannot decide whether an addressable specification is reasonable and appropriate, or which alternative measure to adopt, until you understand your own risk picture. A security risk assessment done well becomes the evidence trail behind every later decision. It is not a one-time exercise. The rule expects ongoing risk management, so the analysis is revisited as systems, vendors, and threats change.

The Core Technical And Administrative Controls

Beyond the risk analysis, a workable Security Rule program comes down to a set of core controls that reinforce one another.

Access controls and unique user identification. Each workforce member gets a unique login, and access to ePHI is limited to what the person's role requires. This makes activity attributable to an individual and supports the minimum necessary principle.

Audit controls. Systems that hold ePHI record and let you examine activity, so you can detect and reconstruct inappropriate access.

Integrity controls. Mechanisms that protect ePHI from improper alteration or destruction, so records stay accurate and trustworthy.

Transmission security. Protection for ePHI moving across networks, which in practice means encrypting data in transit and controlling how it is sent.

Encryption of ePHI. Addressable, but in most settings the appropriate choice for both stored and transmitted data.

Contingency planning. A required set of measures that keep ePHI available when something goes wrong, including a data backup plan, a disaster recovery plan, and an emergency mode operation plan so care and operations can continue.

Workforce security and training. Procedures for granting, reviewing, and revoking access, plus security awareness training so staff recognize threats such as phishing and mishandled data.

Business associate agreements. Before a vendor touches your ePHI, a written BAA must be in place that binds the vendor to safeguard it. This is where a practice's security perimeter extends to its supply chain.

How Cyber One Solutions Fits

Cyber One Solutions implements and maintains the technical and administrative safeguards the Security Rule calls for. That work includes standing up access and audit controls, configuring encryption, building and testing backup and contingency capabilities, hardening endpoints and networks, delivering workforce training, and helping structure the documentation that supports your risk decisions.

What Cyber One Solutions does not do, and what no vendor can honestly promise, is make you compliant on your behalf. Compliance is the covered entity's legal responsibility. A provider can supply and operate the safeguards, contribute to the risk analysis, and sign a BAA as your business associate, but accountability for the program stays with the covered entity. Our role is to make the safeguards real and keep them working. You can learn more about our HIPAA security compliance services and our broader compliance support.

Article FAQs

What Is The Difference Between A Required And An Addressable Implementation Specification?

Required means you must implement the specification exactly as the rule states. Addressable means you must evaluate whether the specification is reasonable and appropriate for your environment. If it is, you implement it; if it is not, you document that decision and put an equivalent alternative measure in place. Addressable is never a license to ignore a control.

Can An IT Provider Make My Practice HIPAA Compliant?

No provider can make you compliant, because compliance is the covered entity's legal responsibility under the Security Rule. What a provider can do is implement and maintain the safeguards the rule requires, contribute to your risk analysis, and serve as a business associate under a signed BAA. Cyber One Solutions supports the safeguards; the accountability for your compliance program remains with you.

Why Is The Security Risk Analysis So Important?

The risk analysis is a required safeguard and the foundation the rest of the program builds on. It identifies where your ePHI lives and the threats to it, which is what lets you decide how to apply controls and whether addressable specifications are appropriate. Without it, later decisions have no documented basis, which is a frequent problem in OCR reviews.

Does The Security Rule Require Encryption?

Encryption of ePHI is an addressable specification in several parts of the rule, not a flat requirement. In practice, encryption of data at rest and in transit is usually reasonable and appropriate, so most organizations implement it and document that choice. If you choose not to encrypt in a given case, you must justify that decision and adopt an equivalent alternative.

Do Business Associates Have To Follow The Security Rule?

Yes. Business associates that create, receive, maintain, or transmit ePHI carry direct obligations under the Security Rule, not only contractual ones. A written business associate agreement must be in place with the covered entity, and the business associate is responsible for the safeguards that apply to the ePHI it handles.

If you are working through where your safeguards stand today, talk with us about a structured starting point built around your risk analysis.