HIPAA Security Rule

Covered entities and their business associates must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Required administrative safeguards include risk analysis, risk management, workforce training, and contingency planning.

Technical safeguards include access controls, audit controls, integrity controls, and transmission security. Physical safeguards cover facility access controls, workstation use and security, and device and media controls. Entities must conduct periodic risk assessments.