The HIPAA Security Rule groups its requirements into three categories of safeguards. Together they form a layered approach to protecting electronic protected health information (ePHI). Here is what each category covers and how it shows up in practice.
Administrative safeguards
Administrative safeguards are the policies, procedures, and management actions that govern how an organization protects ePHI. They are often the largest category and set the direction for the others. Key standards include:
- Security management process - including the risk analysis and risk management activities at the heart of the rule.
- Assigned security responsibility - naming a security official accountable for the program.
- Workforce security and information access management - ensuring only appropriate staff can reach ePHI.
- Security awareness and training - educating the workforce on protecting data and recognizing threats.
- Security incident procedures - identifying, responding to, and documenting incidents.
- Contingency planning - data backup, disaster recovery, and emergency-mode operations.
- Evaluation - periodically reassessing whether safeguards still meet the rule.
Physical safeguards
Physical safeguards protect the facilities, equipment, and media that store or access ePHI. Even strong technical controls can be undone if a server room is unlocked or a backup drive walks out the door. Standards include:
- Facility access controls - limiting physical entry to areas with ePHI.
- Workstation use and security - policies on how and where workstations may be used, and physical protections such as privacy screens and positioning.
- Device and media controls - governing how hardware and electronic media are moved, reused, and disposed of, including secure data destruction and tracking.
Technical safeguards
Technical safeguards are the technology and related policies that protect ePHI and control access to it. Standards include:
| Standard | Purpose |
|---|---|
| Access control | Ensure only authorized users and software reach ePHI (e.g., unique user IDs, automatic logoff). |
| Audit controls | Record and examine activity in systems containing ePHI. |
| Integrity | Protect ePHI from improper alteration or destruction. |
| Authentication | Verify that a person or entity is who they claim to be. |
| Transmission security | Guard ePHI as it moves across networks, including integrity and, where appropriate, encryption. |
How the layers work together
No single safeguard is sufficient on its own. Administrative safeguards decide who should have access; physical safeguards keep equipment and facilities secure; technical safeguards enforce access and protect data in systems and in transit. A weakness in one layer often increases the importance of the others.
Required and addressable specifications
Within each category, implementation specifications are marked required or addressable. Addressable does not mean optional; it means the organization must evaluate the specification and either implement it, adopt an equivalent measure, or document why it is not reasonable and appropriate. Documenting these decisions is itself an important part of compliance.
Scaling safeguards to your organization
The Security Rule is deliberately flexible, and the three safeguard categories apply differently depending on size and complexity. A solo practice and a regional health system both must address facility access controls, but what is reasonable and appropriate looks very different. The rule directs organizations to consider their size, complexity, and capabilities; their technical infrastructure; the cost of security measures; and the likelihood and severity of potential risks to ePHI. This is why two compliant organizations can implement the same standard in different ways. The common thread is that each decision should trace back to the risk analysis rather than to a generic template, and that the reasoning is written down.
Common gaps in each category
Assessments tend to surface recurring weaknesses. On the administrative side, an outdated or missing risk analysis and incomplete training records are frequent findings. Physically, unsecured server areas, unattended workstations in public spaces, and undocumented device disposal create exposure. Technically, shared logins, missing automatic logoff, unreviewed audit logs, and unencrypted laptops appear again and again. Reviewing your controls category by category, and asking what could go wrong in each, is an efficient way to catch these before they become incidents.
Mapping your existing controls to these three categories is a practical way to find gaps. Many organizations use NIST SP 800-66 Rev. 2 as a companion because it ties each Security Rule standard to concrete activities and references.