← All posts

Cybersecurity · September 3, 2025 · intSignal Security Team

The HIPAA Security Rule, Translated for IT Teams

What the Security Rule actually asks of you

The HIPAA Security Rule is written by lawyers for compliance officers, which is why so many IT teams read it once, feel vaguely threatened, and file it away. Underneath the regulatory language, though, it is a fairly ordinary security framework. It governs one thing — electronic protected health information, or ePHI — and it tells covered entities (providers, health plans, clearinghouses) and their business associates to protect the confidentiality, integrity, and availability of that data.

The Rule organizes its requirements into three categories of safeguards: administrative, physical, and technical. Within each category are "implementation specifications," and each specification is flagged either required or addressable. This is the single most misunderstood word in HIPAA. Addressable does not mean optional. It means you must implement the control, or adopt a documented equivalent that achieves the same protection, or formally record why the control is not reasonable and appropriate for your environment. "We skipped it" is not one of the three choices. Regulators have proposed removing this distinction entirely and making most specifications mandatory, so treating addressable as required today is the safer posture and future-proofs your program.

The three safeguard categories in plain terms

Strip out the legal phrasing and the three categories map cleanly onto work an IT team already understands.

  • Administrative safeguards are the policies, people, and process controls — the largest chunk of the Rule. They require a named security official, a written risk analysis and risk management process, workforce security and access management procedures, security awareness training, an incident response process, a contingency plan (backups, disaster recovery, emergency operation), and periodic evaluation. In practice this is your governance layer.
  • Physical safeguards cover the tangible world: facility access controls, workstation use and security, and device and media controls. That means who can walk up to a server, how laptops are secured, and how you sanitize or destroy drives before they leave the building. Cloud hosting shifts much of this to your provider, but it never removes your responsibility for the endpoints your workforce actually touches.
  • Technical safeguards are the controls IT most readily recognizes: access control, audit controls, integrity controls, person-or-entity authentication, and transmission security. This is where encryption, logging, and identity live.

Checklist mapping HIPAA administrative, physical, and technical safeguards to concrete IT controls Figure: the Rule reads as prose, but it resolves into a finite list of controls you can assign owners to and audit against.

The mistake teams make is treating the Rule as a technology problem. Roughly half of the required specifications are administrative — documentation, review cadences, and assigned accountability. You cannot buy your way to compliance with tooling alone.

The risk analysis is the keystone — and the most-cited failure

If you do only one thing this quarter, do the risk analysis. It is a required administrative specification, and it is the finding that appears again and again in HHS Office for Civil Rights enforcement actions. When a breach investigation opens, the first document OCR asks for is your current, accurate risk analysis. Its absence turns a bad day into a settlement.

A defensible risk analysis is not a questionnaire. It is a documented process that:

  1. Inventories every place ePHI is created, received, maintained, or transmitted — applications, databases, endpoints, mobile devices, email, backups, and every third party that touches the data.
  2. Identifies reasonably anticipated threats and vulnerabilities against each location.
  3. Rates the likelihood and impact of each, producing a prioritized risk register rather than a flat list.
  4. Feeds a risk management plan that assigns owners, remediation, and target dates — and gets reviewed on a schedule, not once and forgotten.

The Rule expects this to be living. New application, new vendor, new office, material breach — each is a trigger to revisit. Building and maintaining that process is exactly the work a security and compliance program exists to run, because the analysis only holds up if someone keeps it current between audits.

Access controls and audit logging

Two technical safeguards do most of the heavy lifting, and they are the ones auditors probe hardest.

Access control implements the minimum-necessary principle: each user gets only the ePHI their role requires. Concretely, that means unique user IDs (no shared logins — required), role-based permissions, automatic logoff on idle sessions, and an emergency-access procedure for break-glass situations. Enforcing this reliably across clinical, administrative, and third-party users is an identity problem more than an application problem, which is why we anchor HIPAA access controls to a managed identity and access management process — so joiner-mover-leaver events, minimum-necessary scoping, and multi-factor authentication are enforced the same way every time instead of drifting per system.

Audit controls require you to record and examine activity in systems that contain ePHI. Logging that nobody reviews is not a control — it is storage. A credible program centralizes logs from applications, servers, and endpoints, retains them long enough to cover an investigation (retain a year where you can, not the bare minimum), and alerts on the events that matter: access to records outside a user's normal scope, bulk exports, failed authentication clusters, and privileged-account use. During a breach inquiry, these logs are how you reconstruct what was and was not accessed — which often decides whether an event is even reportable.

Encryption of ePHI at rest and in transit

Encryption is technically an addressable specification, which has led more than one organization to talk itself out of it. Do not. In practice, encryption is the closest thing HIPAA offers to a safe harbor: under the Breach Notification Rule, ePHI that is encrypted to current HHS-recognized standards is considered "secured," and its loss generally is not a reportable breach. Encrypt properly and a lost laptop becomes a lost laptop rather than a public breach disclosure.

  • At rest: full-disk encryption on every endpoint and server, database and storage-level encryption, and encrypted backups. Manage the keys separately from the data.
  • In transit: current TLS for anything crossing a network, encrypted email (or a secure portal) for external ePHI, and no unencrypted protocols reaching systems that hold health data.

Encryption also pairs naturally with data loss prevention, which watches the channels ePHI can leave through — misaddressed email, personal cloud storage, USB — and enforces policy on the data itself. Encryption protects data you have lost control of; DLP keeps you from losing control in the first place.

Business associate agreements: your liability travels with the data

The moment ePHI leaves your walls for a vendor — a billing service, a cloud host, an analytics platform, an MSP — HIPAA follows it. A Business Associate Agreement is the required contract that binds that vendor to the same safeguards and makes their obligations enforceable. Two practical rules:

  • No BAA, no ePHI. If a vendor will create, receive, maintain, or transmit health data and has not signed a BAA, they should not have the data. Maintain a current inventory of every business associate and the agreement covering each.
  • A BAA is not a security audit. The signature transfers obligation; it does not verify the vendor's controls. Your risk analysis still has to account for the ePHI they hold, and material vendors deserve real diligence.

Breach notification: know the clock before you need it

When unsecured ePHI is compromised, the Breach Notification Rule sets firm deadlines. Affected individuals must be notified without unreasonable delay and no later than 60 calendar days from discovery. HHS must be notified — immediately for breaches affecting 500 or more people, and via an annual log for smaller ones. Large breaches also require notifying prominent media in the affected region.

Sixty days sounds generous until an incident is live and you are trying to determine what was accessed, whose records were involved, and whether the data was encrypted. That determination depends entirely on the audit logs and encryption posture you established beforehand. A tested incident response plan — who declares, who investigates, who counts records, who drafts notifications — is what keeps the 60-day clock from becoming a crisis. Preparation, not paperwork, is what the deadline actually rewards.

Turning the Rule into an operating program

The Security Rule is not vague once you translate it: name an owner, run and maintain a real risk analysis, enforce unique-identity access and minimum necessary, log and actually review activity, encrypt ePHI at rest and in transit, put a BAA behind every vendor that touches the data, and rehearse breach notification before you need it. The organizations that stumble are almost never the ones that misread a clause — they are the ones that did the work once and let it go stale.

intSignal builds and operates HIPAA safeguards as a continuous program rather than an annual scramble: the risk analysis stays current, access and audit controls run against live systems, and evidence is ready when OCR or an auditor asks. If you want a clear-eyed read on where your ePHI lives and where the gaps are today, talk to our security team and we will map it to the Rule, control by control.