3.4 The HIPAA Security Rule

Scope and the Three Safeguard Categories

The HIPAA Security Rule (45 CFR Part 164, Subpart C) protects electronic Protected Health Information (ePHI) only — not paper or oral PHI, which the Privacy Rule covers. Its goal is the CIA triad: confidentiality, integrity, and availability of ePHI. The Rule is technology-neutral and scalable, so a small clinic and a large health system meet it differently.

Safeguards fall into three categories:

Administrative safeguards are the largest category (roughly half the standards) and where most RHIT scenarios live, because they govern the human and policy decisions behind the technology. The Rule also requires entities to designate a Security Officer, maintain written policies and procedures, and retain security documentation for six years. A covered entity must likewise obtain written assurances (through a BAA) that its business associates will safeguard ePHI — security obligations flow downstream to subcontractors.

Required vs. Addressable Specifications

Each standard has implementation specifications marked required or addressable:

• Required — the entity must implement it exactly (e.g., conduct a risk analysis, have a sanction policy, implement unique user identification).
• Addressable — the entity must assess whether the specification is reasonable and appropriate for its environment. If yes, implement it. If not, it must implement an equivalent alternative and document the rationale. "Addressable" does not mean optional — skipping it without documented justification is a violation.

The security risk analysis (an administrative, required spec) is the foundation of the whole Rule: an accurate, thorough, ongoing assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI the entity creates, receives, maintains, or transmits. Its findings drive the risk management process — implementing security measures to reduce risks to a reasonable and appropriate level. A risk analysis is not a one-time event; it must be reviewed and updated as the environment changes (new systems, new vendors, new threats).

OCR repeatedly cites a missing or stale risk analysis as the root cause in multimillion-dollar breach settlements — treat it as exam-critical.

Other key administrative specs include the sanction policy (required — apply consequences to workforce who violate policy), information system activity review (required — regularly review audit logs and access reports), workforce clearance and termination procedures, and security awareness training. Because addressable specs make up roughly half the Rule, candidates must resist the trap of reading "addressable" as "skip it."

When evaluating an addressable specification, the entity documents one of three outcomes: implement it as written; implement an equivalent alternative measure with rationale; or, if neither is reasonable and appropriate and the risk is low, not implement it with documented justification. Every one of these decisions must be written down — undocumented decisions are treated as non-compliance. This documentation discipline is precisely what OCR examines after a breach, which is why the exam ties addressable specs so tightly to written policies and the risk analysis.

Technical Controls and Contingency Planning

Technical safeguards the RHIT exam tests:

• Access control — unique user IDs (required), emergency access procedure (required), plus automatic logoff and encryption/decryption (addressable). Role-Based Access Control (RBAC) grants the minimum necessary access by job role.
• Audit controls (required) — hardware/software that records and examines activity in systems with ePHI; audit-trail review detects insider snooping.
• Integrity — protect ePHI from improper alteration or destruction.
• Person/entity authentication — verify identity (passwords, tokens, biometrics).
• Transmission security — guard ePHI in transit, often via encryption.

Encryption is addressable, but encrypting ePHI to NIST-recommended standards (the National Institute of Standards and Technology) renders it unusable, unreadable, or indecipherable if breached, qualifying it as secured PHI under the breach safe harbor — meaning a lost encrypted laptop generally triggers no notification. This is why encryption, though technically "addressable," is a near-universal best practice.

Physical safeguards the exam tests include facility access controls (badges, locks, visitor logs), workstation security and use (positioning screens away from public view, privacy filters, locking sessions), and device and media controls — policies for the disposal, re-use, accountability, and data backup/storage of hardware and removable media. Wiping or destroying drives before disposal prevents a classic breach.

Contingency planning (administrative) is required and includes a data backup plan, a disaster recovery plan, an emergency mode operation plan, plus addressable testing/revision and applications/data criticality analysis — together ensuring patient care and ePHI availability survive a fire, flood, outage, or ransomware attack. A facility with offline, tested backups can refuse a ransom and restore systems quickly.

The Security Rule's flexibility of approach lets each entity weigh its size, complexity, technical capabilities, cost, and the probability and criticality of risks when choosing security measures — but flexibility never excuses ignoring a required specification or skipping the risk analysis that justifies the choices made.