4.3 HIPAA Security Rule

Key Takeaways

  • The Security Rule protects only electronic protected health information (ePHI); paper and spoken PHI fall under the Privacy Rule instead.
  • The Security Rule protects three properties of ePHI — confidentiality, integrity, and availability — and organizes safeguards into Administrative, Physical, and Technical categories.
  • Implementation specifications are either required, meaning they must be done as written, or addressable, meaning the entity must implement, document an equivalent alternative, or document why it is not reasonable.
  • A documented risk analysis is a required Administrative specification and the foundation of Security Rule compliance; missing or incomplete risk analyses are a top OCR finding.
  • Encryption of ePHI is technically an addressable specification, but it is treated as de facto required because it is the safe-harbor that keeps lost data from being a reportable breach.
Last updated: June 2026

Scope: Electronic PHI Only

The HIPAA Security Rule protects electronic protected health information (ePHI) — PHI that is created, received, maintained, or transmitted in electronic form. This is the line the exam tests hardest: paper records and verbal disclosures are protected by the Privacy Rule, not the Security Rule. If a scenario describes a stolen paper chart or an overheard conversation, that is a Privacy Rule issue; if it describes a lost laptop, an unencrypted email, or a hacked server, that is a Security Rule issue.

For a biller, ePHI includes claims in a practice management system, electronic remittance advice (835) files, eligibility responses (271), scanned charts, and any PHI sent by email or text.

The Security Rule requires Covered Entities and Business Associates to protect three properties of ePHI, easy to remember as the CIA triad:

  • Confidentiality — ePHI is not made available to unauthorized persons
  • Integrity — ePHI is not improperly altered or destroyed
  • Availability — ePHI is accessible and usable on demand by authorized persons

Required vs. Addressable Specifications

Each safeguard standard contains one or more implementation specifications, and each specification is labeled one of two ways:

LabelWhat the Entity Must Do
RequiredImplement the specification exactly as written. No alternatives.
AddressableAssess whether the specification is reasonable and appropriate, then either (a) implement it, (b) implement a documented equivalent alternative, or (c) document why neither is reasonable.

Addressable does not mean optional — this is the single most-missed Security Rule fact on the CPB exam. An addressable specification still demands a documented, defensible decision. Choosing to do nothing without analysis or documentation is itself a violation.

The Three Safeguard Categories

Safeguard CategoryFocusExamples
AdministrativePolicies, procedures, and workforce managementRisk analysis, security officer designation, workforce training, sanction policy, contingency and disaster-recovery planning, BAA management
PhysicalProtecting facilities, devices, and mediaFacility access controls, workstation use and security, device and media disposal, reuse, and backup
TechnicalTechnology controls on systems and dataAccess controls, audit controls, integrity controls, person or entity authentication, transmission security

A quick mental test for the exam: if the control is a written rule about people, it is Administrative; if it is a lock, a door, or a shredder, it is Physical; if it is a setting inside the software or network, it is Technical.

Key Technical Safeguards

  • Access controls — unique user IDs, automatic logoff, and emergency access procedures so only authorized users reach ePHI. Shared logins violate this standard.
  • Audit controls — hardware, software, or procedural mechanisms that record and examine activity in systems that contain ePHI.
  • Integrity controls — measures that confirm ePHI has not been improperly altered or destroyed.
  • Person or entity authentication — verifying a user is who they claim to be, through passwords, tokens, or multifactor authentication.
  • Transmission security — protecting ePHI moving across a network, including integrity controls and encryption.

The Risk Analysis Requirement

A risk analysis is a required Administrative specification and the foundation of Security Rule compliance. The entity must conduct an accurate, thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits, then implement reasonable and appropriate measures to reduce those risks to an acceptable level — a process called risk management. It is not a one-time event; it must be reviewed and updated as systems and threats change.

OCR investigations of breaches very often cite a missing, outdated, or incomplete risk analysis as the root failure, and it is frequently the basis for the largest settlements.

Why Encryption Is Effectively Required

Encryption of ePHI — both at rest and in transmission — is technically an addressable specification. However, encryption is the recognized method to render PHI secured (unusable, unreadable, or indecipherable to unauthorized persons). Properly encrypted data that is lost or stolen generally does not trigger the Breach Notification Rule, because it is no longer 'unsecured PHI.' Since unencrypted laptops, USB drives, and emails cause a large share of reportable breaches, billers and their employers should treat encryption as de facto required.

If a scenario asks how a stolen device could have avoided breach notification, the answer is almost always encryption.

Practical Safeguards a Biller Touches Daily

Most Security Rule violations in a billing office are not exotic hacks — they are routine lapses. Sharing one login among the front-desk staff defeats unique user identification and audit controls, because the system can no longer tell who accessed which record. Walking away from an unlocked workstation defeats automatic logoff. Emailing a spreadsheet of patient balances to a personal account, or texting account numbers to a coworker, defeats transmission security.

Tossing old EOBs in the regular trash, or selling a copier without wiping its hard drive, defeats media disposal — copiers store scanned images on internal drives, a fact OCR has penalized providers for ignoring.

A biller's compliance habits map cleanly to the three safeguard categories: follow written policies and complete training (Administrative), lock screens and shred or wipe media (Physical), and use strong unique passwords with multifactor authentication and encrypted transmission (Technical). When a CPB scenario asks which safeguard was violated, trace the failure to whichever of those three layers it broke.

Test Your KnowledgeMatching

Match each Security Rule control to its safeguard category.

Match each item on the left with the correct item on the right

1
Workforce security training and sanction policy
2
Facility access controls and secure device disposal
3
Unique user IDs, audit logs, and transmission encryption
Test Your Knowledge

An encryption implementation specification in the Security Rule is labeled 'addressable.' What does this mean for a Covered Entity?

A
B
C
D