The HIPAA Security Rule, codified at 45 CFR Part 164, establishes the minimum federal standard for protecting electronic protected health information (ePHI). While the Privacy Rule governs what health information may be used and disclosed, the Security Rule dictates how ePHI must be protected through administrative, physical, and technical safeguards. For healthcare organizations, business associates, and their subcontractors, the Technical Safeguards at 45 CFR 164.312 are where technology policy meets regulatory obligation.
The Security Rule distinguishes between required and addressable implementation specifications — a distinction that is frequently misunderstood and that drives many compliance gaps. Understanding this distinction, and knowing specifically which controls the Office for Civil Rights (OCR) prioritizes in audits, is essential for building a defensible HIPAA security program.
Required vs. Addressable: What the Distinction Actually Means
A "required" implementation specification under the Security Rule means the covered entity or business associate must implement the specification as written. There is no flexibility — it must be done.
An "addressable" specification does not mean optional. It means the organization must assess whether the specification is reasonable and appropriate given its environment. If it is reasonable and appropriate, the organization must implement it. If not, the organization must document why and implement an equivalent alternative measure that accomplishes the same objective. Failure to document the rationale for not implementing an addressable specification is itself a compliance gap.
This distinction is critical because OCR auditors will ask for the risk analysis that supports any decision not to implement an addressable specification.
Access Control: 45 CFR 164.312(a)
The Access Control standard requires covered entities to implement technical policies and procedures that allow only authorized persons or software programs to access ePHI. Four implementation specifications fall under this standard:
- Unique user identification (Required): Assign a unique name or number for identifying and tracking user identity. Shared accounts for systems holding ePHI are a direct HIPAA violation, full stop.
- Emergency access procedure (Required): Establish procedures for obtaining necessary ePHI during an emergency. This typically means break-glass access procedures with audit trail capture.
- Automatic logoff (Addressable): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Most OCR guidance treats this as effectively required for workstations in clinical settings.
- Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI. While addressable, encryption of ePHI at rest is treated by OCR as the primary safe harbor for breach notification — breached encrypted data generally does not trigger notification requirements.
Audit Controls: 45 CFR 164.312(b)
The Audit Controls standard has a single required specification: implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. This is a required standard — there are no addressable specifications here.
In practice, this means every system holding ePHI must generate access logs, and those logs must be regularly reviewed. OCR audit findings frequently cite inadequate log generation (systems not configured to log) and lack of log review procedures (logs generated but not reviewed). A security assessment will typically surface both gaps.
Integrity: 45 CFR 164.312(c)
The Integrity standard requires implementing policies and procedures to protect ePHI from improper alteration or destruction. The single implementation specification — mechanism to authenticate ePHI — is addressable. Authentication in this context means technical controls to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. This includes checksums, digital signatures, and version control for electronic health records.
Person or Entity Authentication: 45 CFR 164.312(d)
This required standard mandates implementing procedures to verify that a person or entity seeking access to ePHI is who they claim to be. This is the HIPAA foundation for requiring multi-factor authentication — particularly for remote access to systems containing ePHI. Following the HITECH Act's amplification of HIPAA penalties in 2009, and subsequent OCR guidance, MFA for remote ePHI access is effectively treated as required.
Transmission Security: 45 CFR 164.312(e)
The Transmission Security standard requires implementing technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. Two implementation specifications apply:
- Integrity controls (Addressable): Implement security measures to ensure electronically transmitted ePHI is not improperly modified without detection.
- Encryption (Addressable): Implement a mechanism to encrypt ePHI in transit. As with at-rest encryption, this is addressable but OCR treats unencrypted ePHI transmission as a significant risk finding. TLS 1.2 or higher is the baseline expectation for any ePHI transmitted over the internet.
HITECH Act Amplification
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, substantially strengthened HIPAA enforcement by increasing penalties, extending direct HIPAA obligations to business associates (previously they were only contractually obligated), and creating the Breach Notification Rule. HITECH created four culpability-based penalty tiers ranging from $100 to $50,000 per violation, with a statutory maximum annual cap of $1,500,000 for violations of an identical requirement in a calendar year (42 U.S.C. § 1320d-5). OCR has levied settlements exceeding $5 million for significant violations.
OCR Audit Priorities
OCR's Phase 2 audit protocol and subsequent enforcement actions have consistently focused on specific gaps: failure to conduct and document a thorough risk analysis (45 CFR 164.308(a)(1)); lack of encryption for ePHI at rest on portable devices (laptops, USB drives, smartphones); inadequate business associate agreements; and insufficient access controls resulting in workforce members accessing ePHI they do not need to perform their job functions.
The risk analysis requirement under 45 CFR 164.308(a)(1) is the foundation of any HIPAA Security Rule compliance program. Without a documented risk analysis, no other Security Rule compliance activity is defensible — OCR will ask for the risk analysis first. A gap analysis conducted by a qualified security professional is the appropriate starting point for any healthcare organization building or rebuilding its HIPAA program. Contact Fortress MSSP to begin your HIPAA Security Rule assessment.