Skip to main content
  • For Support:

    815-308-2095

  • New Client
    815-788-6041

The HIPAA Security Rule Explained: 3 Safeguard Categories, Requirements, and the 2026 Changes

June 11, 2026

In this article:

TL;DR: The HIPAA Security Rule is the “how” of HIPAA: the Privacy Rule defines what health information is protected, and the Security Rule defines how you must protect the electronic version of it (ePHI). It organizes its requirements into 3 safeguard categories — administrative, physical, and technical — each containing required and addressable specifications. Proposed 2026 updates would make MFA and encryption mandatory for the first time since the rule was finalized in 2003.

According to IBM’s 2023 Cost of a Data Breach Report, healthcare organizations recorded an average breach cost of $10.93 million, the highest of any industry for the 13th consecutive year. Every dollar of that exposure traces back to a failure somewhere in the controls the HIPAA Security Rule requires.

Most organizations cite the rule. Fewer understand what it actually requires. The three safeguard categories, the required-versus-addressable distinction, and the significant changes proposed for 2026 are where organizations of all sizes consistently fall short.

This article explains the three safeguard categories in practical terms and clarifies the required vs. addressable distinction that trips up most organizations. It also breaks down the proposed 2026 updates that would make encryption and multi-factor authentication (MFA) mandatory for the first time.

What the HIPAA Security Rule Actually Covers

The Security Rule is a federal standard established under the Health Insurance Portability and Accountability Act (HIPAA), codified at 45 CFR Parts 160 and 164. The Department of Health and Human Services (HHS) finalized the rule in 2003. It sets national requirements for protecting electronic protected health information (ePHI) that an organization creates, receives, maintains, or transmits.

The distinction between ePHI and protected health information (PHI) matters here. Unlike the HIPAA Privacy Rule, which covers PHI in any format including paper records and verbal conversations, the Security Rule applies exclusively to ePHI. A printed patient chart falls under the Privacy Rule. The digital version of that same chart falls under both.

Three properties underpin every requirement in the rule: confidentiality (only authorized individuals access ePHI), integrity (ePHI is not altered or destroyed improperly), and availability (ePHI is accessible to authorized users when needed).

For a detailed breakdown of what qualifies as protected health information in the first place, see our guide to the 18 PHI identifiers HIPAA protects.

Who the HIPAA Security Rule Applies To

The Security Rule applies to covered entities and business associates alike. Size does not reduce those obligations for either.

  • Covered entities: health plans (including Medicare and Medicaid managed plans), healthcare clearinghouses, and any healthcare provider that transmits health information electronically for covered transactions
  • Business associates: vendors, contractors, or subcontractors that create, receive, maintain, or transmit ePHI on behalf of a covered entity; this includes IT service providers, EHR vendors, cloud storage providers, and medical billing companies
  • Business associate agreements (BAAs): legally required contracts that extend Security Rule obligations directly to business associates; a missing or inadequate BAA is itself a compliance violation
  • No size exemption: a 12-person medical practice carries the same core Security Rule obligations as a large hospital system

For a full breakdown of which organizations fall into each compliance category, see who must comply with HIPAA.

IT service providers acting as business associates often carry overlapping compliance obligations. Those that also handle payment card data for clients face parallel requirements under PCI compliance frameworks alongside their HIPAA responsibilities.

The Three HIPAA Security Safeguard Categories

The Security Rule organizes its requirements into three safeguard categories. Each contains both required and addressable implementation specifications, and no category can be skipped entirely.

Administrative Safeguards cover policies, procedures, and workforce management. Key specifications include:

  • A security risk analysis and a documented risk management process
  • A designated security officer responsible for Security Rule compliance
  • Workforce training and security awareness programs
  • Contingency planning covering backup procedures and disaster recovery

Physical Safeguards govern physical access to the facilities and systems where ePHI lives. Specifications include:

  • Facility access controls
  • Workstation use and security policies
  • Device and media controls, including proper disposal procedures for equipment that has stored ePHI

Technical Safeguards cover technology controls applied directly to ePHI systems:

  • Unique user access controls and automatic logoff
  • Audit controls and integrity controls
  • Transmission security, including encryption in transit

A persistent compliance gap appears across organizations of every size. Administrative safeguards get handed to HR. Technical safeguards go to IT. Nobody owns the overlap between the two.

Required vs. Addressable: What the Distinction Actually Means

Most organizations misread this part of the rule, sometimes in ways that leave them completely undefended when the Office for Civil Rights (OCR) opens an investigation. The framework works in four steps:

  1. Required specifications must be implemented exactly as written. No alternative measures and no exceptions based on budget or organization size.
  2. Addressable specifications require the organization to assess whether the specification is reasonable and appropriate for its environment and risk profile.
  3. If the specification is appropriate, implement it. If it is not appropriate, document why and implement an equivalent alternative that achieves the same protective outcome.
  4. Whatever the decision, record it in writing. An undocumented addressable decision is treated by OCR the same as no decision at all.

HHS has been explicit: “addressable” reflects the reality that technical environments vary across organizations, not a license to skip controls the organization finds inconvenient.

Consider a practical example. Under the current rule, encrypting ePHI at rest is an addressable specification. An organization that does not encrypt must maintain a written risk assessment explaining why encryption is not reasonable in its environment and which compensating control replaces it.

No documentation means no defense.

HIPAA Security Rule vs. Privacy Rule: Key Differences

OCR within HHS enforces both the Privacy Rule and the Security Rule. A single breach event can trigger violations of both simultaneously.

The core distinction is scope. The Privacy Rule covers all PHI in any format and governs when and how that information can be used or disclosed. The Security Rule is narrower: it applies only to ePHI and specifies the technical and administrative controls required to protect it.

HIPAA comprises five primary rules:

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rule
  • The Enforcement Rule
  • The Transactions and Code Sets Rule

An organization subject to one is typically subject to all five.

The 2013 Omnibus Rule extended both the Privacy Rule and the Security Rule directly to business associates and clarified the penalty tier structure for breach notification violations.

For organizations with obligations beyond healthcare, compliance frameworks can stack. IT service providers that serve both healthcare and financial services clients often carry requirements that extend beyond HIPAA. Vendors subject to the FTC Safeguards Rule alongside their HIPAA obligations benefit from coordinating those requirements through structured FTC compliance services rather than managing each framework separately.

The Proposed 2026 HIPAA Security Rule Updates

In January 2025, HHS published a Notice of Proposed Rulemaking (NPRM) to update the Security Rule for the first time since its 2003 finalization. The proposed changes are substantial.

Key proposals from the NPRM:

  • MFA becomes required. Multi-factor authentication would shift from an addressable specification to a required one, eliminating the risk-assessment workaround that organizations currently use to defer implementation.
  • Encryption becomes required. Encryption of ePHI both at rest and in transit would also move from addressable to required.
  • Technology asset inventory and network map. Organizations would need to maintain a current inventory of all technology assets and a network map, each reviewed and updated at least annually.
  • More prescriptive risk analysis documentation. Annual security risk analyses would carry stricter documentation requirements, closing the gap in how organizations currently interpret that obligation.
  • Regular vulnerability testing. Organizations would need to run vulnerability scans on a recurring schedule and penetration testing at least annually.
  • 72-hour recovery time objective. Contingency plans would need to specify a recovery time objective of 72 hours for critical systems.

The final rule has not been published. Organizations that begin gap assessments now will be better positioned than those that wait. Retrofitting MFA and encryption across all ePHI systems takes longer than most compliance timelines allow.

A Practical HIPAA Compliance Checklist for Small Practices

For a dental office, PT clinic, benefits broker, or any other small organization handling ePHI, Security Rule compliance reduces to a manageable set of actions. Twelve items, mapped to the three safeguard categories:

Administrative

  1. Complete a documented security risk analysis — and review it at least annually and after any major system change.
  2. Designate a security officer in writing. One named person owns Security Rule compliance.
  3. Run security awareness training for every employee who touches ePHI, with dates and attendance documented.
  4. Maintain a contingency plan covering data backups and disaster recovery — and test it, don’t just file it.

Physical

  1. Control physical access to the spaces where servers, workstations, and ePHI storage live.
  2. Set workstation use and security policies, including screen locking in patient-facing areas.
  3. Keep an inventory of every device and medium that stores ePHI — laptops, USB drives, phones.
  4. Follow documented disposal procedures before retiring or recycling any equipment that has held ePHI.

Technical

  1. Give every user a unique login — no shared credentials — and enable automatic logoff.
  2. Turn on audit logging for every system that stores or accesses ePHI.
  3. Encrypt ePHI in transit now, and at rest ahead of the proposed 2026 requirement.
  4. Enable MFA on ePHI system access before the NPRM makes it mandatory.

Two items sit outside the categories but fail audits just as fast: a signed BAA with every vendor that touches your ePHI, and a written record of every addressable specification decision.

Common HIPAA Security Rule Violations and How OCR Enforces Them

OCR opens investigations from two sources: breach reports filed by covered entities and complaints filed by individuals. In both cases, the first document requested is a current, documented security risk analysis.

Organizations without one have no defense on the most frequently cited violation.

The most common enforcement targets:

  • Missing or inadequate security risk analyses. This is the single most cited violation in OCR investigations. The requirement lives in the Administrative Safeguards, but organizations perform it too infrequently or document it too superficially to survive scrutiny.
  • Lack of access controls. This includes former employees retaining ePHI system access after termination, shared user credentials, and no role-based permission structure.
  • Absent or incomplete BAAs. Missing business associate agreements with IT vendors, cloud storage providers, and third-party processors are a consistent enforcement target.
  • Unencrypted portable devices. Laptops, USB drives, and mobile devices containing ePHI are a persistent source of reportable breaches that automatically trigger OCR review under breach notification rules.
  • Insufficient workforce training. The absence of a documented security awareness program covering PHI handling procedures is both a standalone violation and an indicator of broader program failure.

According to HHS’s HIPAA Enforcement Rule, OCR can assess civil monetary penalties up to $2.19 million per violation category per calendar year. Willful neglect with no corrective action draws the highest penalty tier. Penalties scale across four tiers based on culpability:

Penalty tierCulpabilityAnnual cap per violation category
Tier 1No knowledge; could not reasonably have known
Tier 2Reasonable cause; not willful neglect
Tier 3Willful neglect, corrected within 30 days
Tier 4Willful neglect, not correctedUp to $2.19 million

The enforcement record shows where these failures land. Anthem paid $16 million in 2018 — the largest HIPAA settlement OCR had reached at the time — after an investigation that cited risk analysis failures, and Premera Blue Cross paid $6.85 million in 2020 on similar findings. The pattern repeats at every organization size: the missing risk analysis is what turns a breach into a penalty.

Structured HIPAA compliance services address these gaps systematically, covering risk analysis documentation, access control implementation, BAA review, and technical safeguard management.

If You’re a Business Associate, Not a Covered Entity

Since the 2013 Omnibus Rule, the Security Rule applies to business associates directly. OCR can investigate and penalize your organization on its own — not just through your covered-entity clients. The BAA you signed does not transfer your obligations to the client; it confirms that you carry them yourself.

That means a business associate needs its own risk analysis, its own safeguards across all three categories, and its own documentation trail. An IT vendor, billing company, or cloud provider that has never run a security risk analysis is exposed regardless of how compliant its healthcare clients are. The same logic extends downward: subcontractors that touch ePHI on your behalf need BAAs with you and carry the same obligations.

If you’re not sure which side of the covered-entity line your organization sits on, the decision framework linked earlier in this article walks through it.

Where a Managed IT Provider Fits

The Security Rule holds your organization accountable, but most of the work it requires is exactly what a managed IT provider does daily. The split of responsibilities is straightforward:

  • You own the decisions: designating a security officer, approving addressable specification determinations, signing BAAs.
  • A provider can execute the rest: conducting and documenting the security risk analysis, implementing technical safeguards — MFA, encryption, audit logging, role-based access controls — maintaining the technology asset inventory the 2026 changes would require, and keeping the documentation current enough to produce on demand.

For a small practice, that division is usually the difference between a compliance program that exists on paper and one that survives an OCR records request.

Frequently Asked Questions

What are the three categories of HIPAA Security Rule safeguards?

Administrative, physical, and technical. Administrative safeguards cover policies, risk analysis, workforce training, and contingency planning. Physical safeguards govern facility access, workstation security, and device and media controls. Technical safeguards apply controls directly to ePHI systems: unique user access, audit logging, integrity controls, and transmission security. No category can be skipped — every covered entity and business associate must address all three.

What is the difference between the HIPAA Privacy Rule and Security Rule?

The Privacy Rule covers protected health information in any format — paper, verbal, or electronic — and governs when that information can be used or disclosed. The Security Rule applies only to electronic PHI (ePHI) and specifies the administrative, physical, and technical controls required to protect it. A printed patient chart falls under the Privacy Rule; the digital version of the same chart falls under both.

What are the new HIPAA changes for 2026?

In January 2025, HHS proposed the first Security Rule update since 2003. The NPRM would make MFA and encryption of ePHI — at rest and in transit — required rather than addressable, mandate an annually updated technology asset inventory and network map, tighten risk analysis documentation, require recurring vulnerability scans and annual penetration testing, and set a 72-hour recovery time objective for critical systems. The final rule has not been published.

What are the 5 main HIPAA rules?

The Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Transactions and Code Sets Rule. The Privacy Rule governs use and disclosure of PHI, the Security Rule sets protection standards for ePHI, the Breach Notification Rule dictates reporting after an incident, and the Enforcement Rule defines penalty structure. An organization subject to one is typically subject to all five.

What is the difference between required and addressable specifications?

Required specifications must be implemented exactly as written — no alternatives, no exceptions for budget or organization size. Addressable specifications require assessing whether the control is reasonable for your environment: implement it if so, or document why not and put an equivalent alternative in place. Addressable never means optional. An undocumented addressable decision is treated by OCR the same as no decision at all.

Protecting Your Organization Before OCR Comes Knocking

When Security Rule compliance is working correctly, every ePHI access is logged, workforce training is documented, and addressable specification decisions are on file. The organization can produce evidence of its controls within hours of an OCR inquiry. The goal isn’t to pass an audit. It’s to operate at a standard where an audit never becomes a crisis.

LeadingIT provides HIPAA compliance support and cybersecurity services to healthcare-adjacent organizations across the Chicagoland area. That includes security risk assessments, access control implementation, business associate agreement review, and technical safeguard management.

When HIPAA Security Rule compliance becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free Cyberscore cybersecurity assessment.

This article is for general informational purposes and is not legal advice. Consult a healthcare compliance attorney for guidance specific to your organization.

Return to blog

Stephen Taylor is the founder and driving force behind LeadingIT, a Chicagoland-based IT and cloud services company, where he focuses on delivering practical, client-first technology solutions for businesses. A Microsoft Certified professional and author of Technology Should Just Work, he combines hands-on expertise with a passion for making IT simple, transparent, and effective. Read more about the author.

Let Us Be Your Guide In Cybersecurity Protections
And IT Support With Our All-Inclusive Model.
Meet With Us