Skip to Main Content
Main Menu

Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The HIPAA Security Rule is a Federal sectoral rule that establishes national standards to protect individuals’ electronic protected health information (ePHI) handled and maintained by certain entities in the healthcare industry.

Who does HIPPA apply to?

The HIPAA Security Rule applies to HIPAA Covered Entities (i.e. healthcare providers, health plans, healthcare clearinghouses) and, by extension, their Business Associates (i.e. service provider of a covered entity) who create, receive, maintain or transmit health information in electronic form.

Requirements under HIPPA Security Rule

Confidentiality, integrity and availability of ePHI

Put in place appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ePHI. Identify and protect against security threats and reasonably anticipated, impermissible uses or disclosures.

Risk analysis and management

Evaluate the likelihood and impact of potential risks to ePHI and implement appropriate security measures to address identified risks.Regularly review security measures and improve them where necessary.

Business Associate agreements

Put in place agreements with Business Associates that require them to safeguard ePHI processed on behalf of the Business Entity, report security breaches, and execute similar agreements with subcontractors.


Guide to HIPAA Compliance

How to build and implement a program to demonstrate compliance with HIPAA


  • Are all businesses that handle PHI subject to the HIPAA Security Rule?

    The HIPAA Security Rule only applies to those organizations that meet the definition of a Covered Entity (i.e., healthcare providers, health plans, healthcare clearinghouses that electronically transmit ePHI) or Business Associate. It does not apply to employers handling employee health information, or to other organizations that do not meet these requirements.

  • Is all health information regulated by the HIPAA Security Rule?

    Health information is only protected by the HIPAA Security Rule where it is created or received by a covered entity, relates to the past, present, or future physical or mental health or condition of an individual, and is maintained or transmitted in an electronic format, and relates.

  • Who enforces the HIPAA Security Rule?

    The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing compliance with the HIPAA Security Rule.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top