HIPAA Cybersecurity Requirements for US Organizations

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal cybersecurity obligations for organizations that handle protected health information (PHI), with enforcement authority held by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). These requirements apply to covered entities — health plans, healthcare clearinghouses, and healthcare providers — as well as business associates that process PHI on their behalf. Understanding the structure of HIPAA's technical and administrative security standards is essential for compliance analysts, security engineers, and legal professionals operating in the healthcare sector. This reference maps the regulatory framework, implementation mechanics, applicable scenarios, and the boundaries between required and addressable controls.

Definition and scope

HIPAA's cybersecurity obligations are primarily codified in the Security Rule, published at 45 CFR Parts 160 and 164, which took effect for most covered entities in April 2005. The Security Rule applies specifically to electronic protected health information (ePHI) — a subset of PHI that is created, received, maintained, or transmitted in electronic form.

The rule's scope is defined by two organizational categories:

  1. Covered entities (CEs) — health plans (including employer-sponsored plans covering 50 or more participants), healthcare clearinghouses, and any healthcare provider that transmits health information electronically in connection with standard transactions.
  2. Business associates (BAs) — third parties that perform functions or activities involving the use or disclosure of ePHI on behalf of a covered entity, including cloud storage providers, billing services, and IT managed service contractors.

The HITECH Act of 2009 (42 U.S.C. § 17931) extended direct Security Rule liability to business associates and increased civil monetary penalty tiers. As of the penalty structure published by HHS OCR, penalties are tiered across four categories of culpability, with a maximum of $1,993,581 per violation category per calendar year (HHS, Civil Money Penalties and Settlements) — adjusted periodically for inflation under the Federal Civil Penalties Inflation Adjustment Act.

The Security Rule does not prescribe specific technologies. Instead, it establishes a risk-based compliance model structured around three categories of safeguards: administrative, physical, and technical.

How it works

The Security Rule organizes its requirements into required and addressable implementation specifications — a distinction central to how organizations build compliance programs.

The framework is structured across three safeguard categories:

1. Administrative Safeguards (45 CFR § 164.308)
- Security management process, including a formal risk analysis and risk management program (required)
- Assigned security responsibility — designation of a security official (required)
- Workforce training and access management procedures (addressable elements within required standards)
- Contingency planning covering data backup, disaster recovery, and emergency mode operations

2. Physical Safeguards (45 CFR § 164.310)
- Facility access controls limiting physical entry to systems housing ePHI
- Workstation use and security policies
- Device and media controls covering disposal and reuse of hardware

3. Technical Safeguards (45 CFR § 164.312)
- Access controls: unique user identification (required), automatic logoff (addressable), encryption and decryption (addressable)
- Audit controls: hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI (required)
- Integrity controls: mechanisms to authenticate that ePHI has not been improperly altered
- Transmission security: encryption of ePHI in transit (addressable)

NIST publishes implementation guidance for the Security Rule in NIST SP 800-66, Rev. 2, which maps Security Rule standards to NIST controls and provides a structured risk assessment methodology. The infosec providers maintained on this site include service providers operating within the HIPAA-regulated sector.

OCR enforces the Security Rule through compliance reviews and complaint investigations. The agency published a HIPAA Audit Program covering both covered entities and business associates.

Common scenarios

Scenario 1: Cloud service provider as business associate
A hospital contracts with a cloud infrastructure provider to host its electronic health record (EHR) platform. Because the provider stores ePHI, it qualifies as a business associate and must sign a Business Associate Agreement (BAA) and independently comply with the Security Rule's technical safeguards. Failure to execute a BAA is itself a violation, independent of any breach event.

Scenario 2: Ransomware attack triggering breach notification
A ransomware incident affecting ePHI triggers dual obligations: the Security Rule's contingency plan requirements apply immediately, and the Breach Notification Rule (45 CFR § 164.400–414) requires covered entities to notify affected individuals within 60 days of discovery, notify HHS, and — for breaches affecting 500 or more residents of a state — notify prominent media outlets in that state. HHS OCR confirmed in 2022 guidance that ransomware encrypting ePHI is presumed a breach unless the organization can demonstrate a low probability of PHI compromise through a four-factor risk assessment.

Scenario 3: Small provider with limited IT resources
A solo medical practice with fewer than 10 employees is still subject to the Security Rule in full. The addressable specification framework permits documented alternative implementations, but exemption from the rule itself is not available based on organizational size. This contrasts with the Breach Notification Rule's media notification threshold, which scales to 500 affected individuals per state.

Scenario 4: Telehealth platform vendor
A software-as-a-service (SaaS) telehealth platform that transmits video-based consultations and stores session records containing ePHI qualifies as a business associate. The platform's transmission security obligations under 45 CFR § 164.312(e) — specifically encryption of ePHI in transit — apply regardless of whether the covered entity client has independently encrypted data at the application layer.

Further context on how cybersecurity service providers are categorized within regulated sectors is available through the reference.

Decision boundaries

The boundary between HIPAA Security Rule applicability and non-applicability turns on three threshold questions:

1. Does the organization qualify as a covered entity or business associate?
Organizations that handle health data but do not meet the statutory definitions — for example, a fitness app that collects self-reported wellness data without a covered entity relationship — fall outside HIPAA jurisdiction. The Federal Trade Commission (FTC) asserts authority over such entities under the FTC Health Breach Notification Rule (16 CFR Part 318), which is a distinct regulatory instrument with different notification timelines and scope.

2. Is the data at issue ePHI?
PHI excludes employment records held by a covered entity in its capacity as employer, education records covered by FERPA, and de-identified data meeting the Safe Harbor or Expert Determination standards under 45 CFR § 164.514. De-identification removes HIPAA Security Rule obligations entirely for that data class — though re-identification risk remains a regulatory concern under emerging state frameworks.

3. Required vs. addressable specifications — not optional vs. mandatory
A common misreading of the Security Rule treats "addressable" as synonymous with "optional." HHS OCR has consistently rejected this interpretation. Addressable specifications require formal, documented analysis. An organization that skips addressable controls without documentation or documented alternatives is out of compliance regardless of whether a breach has occurred.

The distinction between HIPAA's Security Rule and its Privacy Rule also requires precision: the Privacy Rule (45 CFR § 164.500–534) governs the permissible uses and disclosures of PHI in all forms — not just electronic — and carries its own administrative safeguard requirements. A Security Rule compliance program does not satisfy Privacy Rule obligations, and vice versa. Organizations subject to both rules must maintain separate but coordinated compliance programs.

For researchers and professionals mapping service provider categories within this regulatory space, the how to use this infosec resource reference provides structural orientation to how this provider network classifies vendor and practitioner providers.

 ·   · 

References

Read Next

InfoSec Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority InfoSec Providers The InfoSec Providers section of this... InfoSec Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority InfoSec Network: Purpose and Scope The InfoSec Authority... NIST Cybersecurity Framework: Practitioner Guide ANA › Professional Services Authority Authority › National Cyber Authority Authority › InfoSec Authority NIST Cybersecurity Framework: Practitioner Guide The NIST...