What is HIPAA Security Rule?
The HIPAA Security Rule (45 CFR Part 164, Subpart C) sets national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Each standard's implementation specifications are either "required" or "addressable."
The Security Rule matters because it is the part of HIPAA that governs your IT and data security — risk analysis, access controls, encryption, audit logs, and contingency planning all live here. Unlike the Privacy Rule, it applies only to ePHI, and it is intentionally flexible and scalable so a solo practice and a hospital system can both comply at appropriate scale.
For example, the Security Rule requires a documented risk analysis (an administrative safeguard), workstation and device controls (physical safeguards), and access controls plus audit controls (technical safeguards). "Addressable" specifications like encryption are not optional to ignore — you must implement them or document why an alternative is reasonable and appropriate.
Having the right written policies and a risk-analysis workbook makes audit readiness far faster, because OCR investigations and vendor due-diligence both ask for this documentation first. Templates accelerate building those administrative safeguards, but they do not make you compliant on their own — you still have to operate the technical and physical controls and run your own risk analysis.
Related terms: HIPAA Risk Analysis · HIPAA Privacy Rule · Access Control · Encryption
Frequently asked questions
- What is the difference between the Security Rule and the Privacy Rule?
- The Security Rule protects only electronic PHI through administrative, physical, and technical safeguards. The Privacy Rule governs how all PHI — in any form — may be used and disclosed. They overlap but cover different scopes.
- What does "required" vs "addressable" mean?
- Required specifications must be implemented as written. Addressable specifications give flexibility: you implement the measure, adopt a reasonable alternative, or document why it is not reasonable and appropriate for your environment. Addressable does not mean optional.
- Does the Security Rule require encryption?
- Encryption is an addressable implementation specification, not a flat mandate. If you do not encrypt ePHI, you must document why and what equivalent safeguard you use instead. Encrypting data at rest and in transit is widely treated as the practical default.
Toolkits that cover HIPAA Security Rule
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
HIPAA Compliance Toolkit — Dental Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.
HIPAA Compliance Toolkit — Mental Health Practices
18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.
Learn more in our HIPAA guide, explore the editable policy templates, or browse the full compliance glossary.