HIPAA Security Rule Requirements

What is the HIPAA Security Rule?

One of the primary designs of the HIPAA Security Rule is to protect privacy.  In the healthcare industry, personal, private, and sensitive information is collected and stored in a growing number of ways. This data must be protected according to the HIPAA Security Rule requirements.

Which professions must comply with the HIPAA Security Rule requirements?


Mental Health Professionals


Other Medical Professionals

Health Care Clearinghouses

Anyone Else Who Deals with Patient Data

How to comply with the HIPAA Security Rule requirements?

Cybersecurity compliance can seem like an intimidating task with a lengthy checklist. Becoming compliant has lured companies into assuming that they are prepared for cyber threats where, when an attack comes, they find their preparation and knowledge is often limited and falls short of where it needs to be.  As technology advances, so too do the methods and sophistication of the attackers.  Our team at Totem will assist you in identifying your architectural weaknesses and train your personnel how to identify threats, respond to attacks, report incidents, and maintain a secure and compliant environment. Cybersecurity compliance begins with education.  Let Totem’s Cybersecurity Planning Tool (our software for HIPAA security rule compliance) assist you as our team trains your to properly protect your business and make sure you comply with all of the HIPAA Security Rule requirements.

What are the HIPAA Security Rule Requirements?

A risk analysis is the first step for Administrative Safeguards in the HIPAA Security Rule requirements. A proper risk analysis according to the HIPAA Security rule must include the following:

  • • An evaluation of the likelihood and impact of risks.
  • • Implementation of security measures to resolve problems discovered during a risk analysis.
  • • Documentation of security measures and an explanation of why they were implemented.
  • • Continuous, reasonable, and necessary security protections.

  • Regular checks should be conducted to ensure that the risk analysis is covering and detecting security incidents, tracking access to patient and employee information, and evaluating whether the security measures in place are sufficient to minimize  risk.

Security Management Process

According to HIPAA Security Rules requirements, all entities must single out and analyze data deemed as a risk to protected information then set up safeguards to decrease the risk of security compromise.

  • Security Personnel

A covered entity must designate a security official who is responsible for developing and implementing security policies and procedures.

Information Access Management

According to the HIPAA Privacy Rule, access to private information is limited to authorized personnel only when it is deemed necessary on behalf of the patient or in the best interest of the protected person.

Workforce Training and Management

All protected information may only be accessed by appropriate and authorized individuals or supervised by the same.  The HIPAA Security Rule requirements mandate security and procedure policy training of individuals and enact, enforce, and employ sanctions against those who are in violation of policies and procedures.


To comply with the HIPAA Security Rule requirements your company will need periodic assessments of security policies and procedures to ensure that they adhere to HIPAA Security Rule standards.

Facility Access and Control

Entities governed by the HIPAA Security Rule requirements need to prevent unauthorized access to protected information, ensuring only authorized personnel have access.

Workstation and Device Security

Security policies and procedures in the HIPAA Security Rule mandate the appropriate use and accessibility of workstations and remotely accessible media.  Policies and procedures must also be established to regulate the transmittal, transfer, disposal, secondary use of, and removal of protected, electronically-stored information.

Access Control 

The HIPAA Security Rule limits access to protected information to authorized individuals only.

Audit Controls 

All hardware, software, and devices used during examination or devices that record personal information must be protected.

Integrity Controls 

Entities covered by the HIPAA Security Rule requirements need to set up policies and procedures to ensure sensitive and private information is properly destroyed and not improperly altered.

Transmission Security

Covered entities must put in place measures to prevent unauthorized access to protected information that is being transmitted through electronic means.

Covered Entity Responsibilities

Knowledge of any security breaches or violations of privacy policies and procedures must be continuously managed until the violation has been repaired.  Violations, if not properly dealt with or insufficiently safeguarded against in the future, constitute a violation in and of themselves.

Business Associate Contracts 

HHS developed regulations relating to business associate obligations and business associate contracts under the HITECH Act of 2009.

Reasonable policies and procedures must be adopted in order to comply with the HIPAA Security Rule requirements.  Records must be properly stored and protected for six years from the date they were created or the last effective date that the written security policies and procedures of the affected policies required specific actions, activities, or assessments.

Updates: The HIPAA Security Rule requires periodic reviews and updates to documentation when changes occur at environmental or organizational levels that may alter the security of the protected information.

HIPAA Security Rule Summary

Who is Governed by the HIPAA Security Rule Requirements?

The various methods of recording, transmitting, and storing data are all governed by HIPAA Security Rule requirements.  Whatever the medical industry, the HIPAA security rule requirements must be adhered to. As advances in healthcare technology advance, so too does the involvement that the patient has in his or her personal care, records, and interactions with the healthcare system. As more technology is introduced, the higher the cybersecurity risk and the more management and assistance is needed to ensure that compliance is achieved on every level of healthcare. Our compliance software will keep you up to date on any new changes to HIPAA Security Rule requirements. 

HIPAA Security Rule Summary of Data that is Regulated.

The HIPAA Security Rule regulates multiple areas of the healthcare industry from health insurance plans to patient information. Most areas of data collection within the system are now in an electronic form and under HIPAA standards, all parts of the system must be in compliance with the HIPAA Security Rule requirements.

HIPAA Security Rule Summary of Requirements?

The HIPAA Security Rule requires healthcare professionals to:

  • • Reasonably protect patient privacy by setting up safeguards on all equipment, data storage devices, administrative software and computer systems, as well as proper cybersecurity protection.
  • • Prevent unauthorized disclosure of private information.
  • • Prevent unauthorized access to private information.

Remain compliant to the HIPAA Security Rule requirements within their employee organization.

If you have any questions, please don’t hesitate to contact us