The HIPAA Security Rule — A Complete Guide for 2026

The HIPAA Security Rule establishes national standards for protecting electronic Protected Health Information. Unlike the Privacy Rule, which governs how PHI may be used and disclosed, the Security Rule is exclusively focused on how ePHI must be secured.

Structure of the Security Rule

The Security Rule is organized around three categories of safeguards, each containing standards and implementation specifications:

• Administrative safeguards — Policies, procedures, and oversight mechanisms
• Physical safeguards — Physical access controls and device management
• Technical safeguards — Technology controls protecting ePHI

Implementation specifications within each category are designated as either required or addressable. Required specifications must be implemented. Addressable specifications must be implemented if reasonable and appropriate given the organization's size, complexity, and capabilities — or the organization must document why they are not implementing them and describe equivalent alternative measures.

Administrative safeguards

Administrative safeguards are the policies, procedures, and processes that govern how an organization manages ePHI security.

Security management process (Required) — Organizations must implement policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting a risk analysis, implementing risk management measures, applying sanctions to workforce members who violate policies, and reviewing information system activity.

The risk analysis is the cornerstone of Security Rule compliance. It must identify all ePHI the organization creates, receives, maintains, or transmits, assess the threats and vulnerabilities to that ePHI, and implement security measures to reduce risks to a reasonable level.

Assigned security responsibility (Required) — A security official must be designated with responsibility for developing and implementing Security Rule policies and procedures. At small organizations this may be the same person as the Privacy Officer.

Workforce security (Addressable) — Organizations must implement policies and procedures to ensure workforce members have appropriate access to ePHI and to prevent unauthorized access. This includes authorization and supervision procedures, workforce clearance procedures, and termination procedures.

Information access management (Addressable) — Access to ePHI must be managed through policies and procedures including isolating healthcare clearinghouse functions, implementing access authorization, and establishing access establishment and modification procedures.

Security awareness and training (Addressable) — All workforce members must receive security awareness training. Training must cover protection against malicious software, log-in monitoring, and password management.

Security incident procedures (Required) — Organizations must implement policies and procedures to address security incidents — including identifying, responding to, mitigating, and documenting security incidents and their outcomes.

Contingency plan (Addressable) — Organizations must have a plan for responding to emergencies or disasters that damage systems containing ePHI. This includes data backup plans, disaster recovery plans, and emergency mode operation plans.

Evaluation (Required) — Organizations must perform periodic technical and non-technical evaluations to assess how well security policies and procedures meet Security Rule requirements.

Business associate contracts (Required) — Organizations must have written contracts with business associates that handle ePHI establishing the safeguards the business associate must implement.

Physical safeguards

Physical safeguards govern the physical protection of ePHI and the systems that contain it.

Facility access controls (Addressable) — Organizations must implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are housed. This includes contingency operations, facility security plans, access control and validation procedures, and maintenance records.

Workstation use (Required) — Organizations must implement policies specifying the proper functions to be performed on workstations, the manner in which those functions are to be performed, and the physical attributes of the surroundings of workstations that access ePHI.

Workstation security (Required) — Physical safeguards must be implemented for all workstations that access ePHI to restrict access to authorized users.

Device and media controls (Addressable) — Organizations must implement policies governing the receipt and removal of hardware and electronic media containing ePHI into and out of the facility. This includes disposal procedures, media re-use procedures, accountability tracking, and data backup and storage.

Technical safeguards

Technical safeguards are the technology controls and policies that protect ePHI and control access to it.

Access controls (Required) — Technical policies and procedures must be implemented to allow only authorized persons to access ePHI. Required implementation specifications include unique user identification and emergency access procedures. Addressable specifications include automatic logoff and encryption and decryption.

Audit controls (Required) — Hardware, software, and procedural mechanisms must be implemented to record and examine activity in information systems that contain or use ePHI.

Integrity (Addressable) — Organizations must implement policies and procedures to protect ePHI from improper alteration or destruction. Electronic mechanisms must be implemented to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

Transmission security (Addressable) — Technical security measures must be implemented to guard against unauthorized access to ePHI transmitted over electronic communications networks. Encryption of ePHI in transit is an addressable specification — but given that the cost of encryption is minimal and the risk of unencrypted transmission is substantial, OCR strongly encourages encryption as the standard approach.

Organizational requirements

In addition to the three safeguard categories, the Security Rule includes organizational requirements covering business associate contracts and group health plan requirements. Business associate contracts must require business associates to implement administrative, physical, and technical safeguards for ePHI, report security incidents, and ensure subcontractors do the same.

Policies and documentation requirements

The Security Rule requires organizations to maintain written documentation of all Security Rule policies and procedures. Documentation must be retained for six years from the date of creation or the date it was last in effect — whichever is later. All documentation must be available to those responsible for implementing the procedures.

The 2024-2026 Security Rule update

HHS published a Notice of Proposed Rulemaking in January 2025 proposing significant updates to the Security Rule — the first major update since 2013. Key proposed changes include:

• Making encryption of ePHI at rest and in transit a required specification rather than addressable
• Requiring multi-factor authentication as a required specification
• Mandating network segmentation for systems containing ePHI
• Requiring annual penetration testing
• Strengthening business associate oversight requirements

These changes had not been finalized as of April 2026. Monitor HHS.gov and medcomply.ai for updates as the rulemaking process continues.

Key takeaways