The 3 HIPAA Safeguards Explained Simply

The HIPAA Security Rule requires every covered entity and business associate to protect electronic protected health information (ePHI) using three categories of safeguards: administrative, physical, and technical. These are not suggestions. They are federal requirements codified in 45 CFR Part 164, Subpart C, and failing to implement them is one of the most common reasons organizations end up writing large checks to the Office for Civil Rights (OCR).

Yet most practices and organizations struggle with the same question: what do these safeguards actually require in practice?

The regulatory text is dense. The standards overlap. Some requirements are “required” and others are “addressable”, a distinction that trips up nearly every organization that encounters it for the first time. And if you only focus on one category while neglecting the others, you have a compliance gap that OCR will find.

This guide breaks down all three safeguard categories in plain language. For each one, you will find what the regulation says, what it means for your organization, and what you actually need to do. If your organization has not yet conducted a HIPAA risk assessment, start there, the safeguards only work when they are built on top of a clear understanding of your risks.

This content is for educational and informational purposes only and should not be construed as legal advice.

Administrative, Physical, and Technical Safeguards Under the HIPAA Security Rule

How the HIPAA Security Rule Organizes Safeguards

Before diving into the three categories, it helps to understand how the Security Rule is structured. Under 45 CFR 164.302–164.318, the Security Rule establishes:

Standards, broad security objectives every covered entity and business associate must meet.
Implementation specifications, specific actions that satisfy those standards. Each specification is classified as either required or addressable.

A required specification is exactly what it sounds like: you must implement it. Period.

An addressable specification is frequently misunderstood. “Addressable” does not mean optional. It means you must assess whether the specification is reasonable and appropriate for your environment. If it is, you implement it. If it is not, you document why and implement an equivalent alternative measure. Either way, you must document your decision. Ignoring addressable specifications is a compliance failure, and OCR has fined organizations specifically for it.

For a deeper look at this distinction, see our article on why “addressable” does not mean optional.

The three safeguard categories are:

Administrative safeguards (45 CFR 164.308), policies, procedures, and workforce management
Physical safeguards (45 CFR 164.310), facility and device protections
Technical safeguards (45 CFR 164.312), technology-based access controls and protections

Each category addresses a different dimension of ePHI security, and all three must work together. A locked server room means nothing if any employee can log into the EHR without authentication. The strongest encryption in the world does not help if your workforce has never been trained on phishing.

Administrative Safeguards: The Foundation

Administrative safeguards are found in 45 CFR 164.308. They are the largest and most involved category, and for good reason. Administrative safeguards set the policies, accountability structures, and ongoing management processes that everything else is built on. You can think of them as the organizational backbone of your compliance program.

If your practice has solid administrative safeguards, you have a fighting chance when something goes wrong. If you do not, even the best technology will not save you.

Security Management Process (164.308(a)(1))

This is the starting point for every compliance program. The Security Management Process standard requires four implementation specifications:

Risk analysis (required), Conduct an accurate, thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is the HIPAA risk assessment that OCR asks for first during every investigation. If you do not have a current one, nothing else in your compliance program stands on solid ground.
Risk management (required), Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Risk analysis without risk management is just an expensive document.
Sanction policy (required), Apply appropriate sanctions against workforce members who violate your security policies. This does not mean you need to fire someone for every misstep, but you do need a documented, consistent process.
Information system activity review (required), Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking.

Assigned Security Responsibility (164.308(a)(2))

Every covered entity and business associate must identify a single individual who is responsible for developing and implementing the security policies and procedures required by the Security Rule. This is your HIPAA Security Officer. The role can be combined with other responsibilities, a common approach in smaller practices, but someone must be named, and that person must actually perform the function.

For guidance on what this role involves, see our HIPAA compliance officer guide.

Workforce Security (164.308(a)(3))

This standard addresses who within your organization has access to ePHI and how that access is managed:

Authorization and/or supervision (addressable), Implement procedures for authorizing and supervising workforce members who work with ePHI.
Workforce clearance procedure (addressable), Determine whether a workforce member’s access to ePHI is appropriate before granting it.
Termination procedures (addressable), Establish procedures for terminating access to ePHI when a workforce member’s employment ends or their role changes.

The termination procedures specification is one of the most commonly overlooked. When an employee leaves, their access to email, EHR, cloud storage, and any other system containing ePHI must be revoked promptly. “We’ll get to it next week” is not an acceptable approach.

Information Access Management (164.308(a)(4))

This standard controls who can access what:

Isolating healthcare clearinghouse functions (required), If a healthcare clearinghouse is part of a larger organization, the clearinghouse must protect ePHI from unauthorized access by the larger entity.
Access authorization (addressable), Implement policies and procedures for granting access to ePHI.
Access establishment and modification (addressable), Implement policies and procedures that establish, document, review, and modify a user’s right of access to ePHI.

Security Awareness and Training (164.308(a)(5))

You cannot protect ePHI if your workforce does not understand the threats. This standard requires a security awareness and training program with four addressable specifications:

Security reminders, Periodic updates to keep security top of mind.
Protection from malicious software, Procedures for guarding against, detecting, and reporting malicious software.
Log-in monitoring, Procedures for monitoring log-in attempts and reporting discrepancies.
Password management, Procedures for creating, changing, and safeguarding passwords.

Training must be provided to all workforce members, including management. One-and-done training at onboarding does not satisfy this requirement. The regulation expects an ongoing program. For a practical approach, see our guide on HIPAA training program implementation.

Security Incident Procedures (164.308(a)(6))

Every organization must implement policies and procedures to address security incidents. The single required specification here is response and reporting, you must identify and respond to suspected or known security incidents, mitigate harmful effects to the extent practicable, and document incidents and their outcomes.

This is where your incident management procedures come in. A security incident that is not documented might as well not have been handled at all, because you will have no evidence of your response.

Contingency Plan (164.308(a)(7))

If your systems go down, can you still access ePHI? Can you recover it? The Contingency Plan standard requires:

Data backup plan (required), Establish and implement procedures to create and maintain retrievable exact copies of ePHI.
Disaster recovery plan (required), Establish and implement procedures to restore any loss of data.
Emergency mode operation plan (required), Establish procedures to enable continuation of critical business processes that protect the security of ePHI during an emergency.
Testing and revision procedures (addressable), Implement procedures for periodic testing and revision of contingency plans.
Applications and data criticality analysis (addressable), Assess the relative criticality of specific applications and data to establish priorities for the contingency plan.

The organizations that handle ransomware incidents with the least damage are invariably the ones that had tested backup and recovery procedures before the incident occurred.

Evaluation (164.308(a)(8))

Perform periodic technical and nontechnical evaluations to determine the extent to which your security policies and procedures meet the requirements of the Security Rule. This is not a one-time activity. Your risk environment changes, your technology changes, and your compliance program must keep pace.

Business Associate Contracts (164.308(b))

Before any business associate creates, receives, maintains, or transmits ePHI on your behalf, you must have a written contract or other arrangement that meets the requirements of 45 CFR 164.314(a). This is the business associate agreement (BAA). If you do not have BAAs in place with every qualifying vendor, you have an open compliance gap.

For more detail, see our guide on business associate agreement mistakes to avoid.

Physical Safeguards: Protecting the Real World

Physical safeguards are defined in 45 CFR 164.310. They address the physical protection of electronic information systems and the facilities that house them. This category is often underestimated, organizations invest heavily in firewalls and encryption but leave server room doors unlocked or allow laptops containing ePHI to leave the building without any tracking.

Physical safeguards protect ePHI from unauthorized physical access, tampering, and theft. For a detailed treatment, see our physical safeguards article.

Facility Access Controls (164.310(a)(1))

This standard requires policies and procedures to limit physical access to your electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. It includes four addressable specifications:

Contingency operations, Establish procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan.
Facility security plan, Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access control and validation procedures, Implement procedures to control and validate a person’s access to facilities based on their role or function.
Maintenance records, Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (hardware, walls, doors, locks).

In practice, this means controlling who can enter areas where ePHI is stored or accessible. Badge readers, visitor logs, locked server rooms, and camera systems are common implementations. A solo practice might satisfy this with a locked office door and a policy about who has a key. A hospital needs layered access controls across multiple buildings and departments.

Workstation Use (164.310(b))

This required standard is straightforward: implement policies and procedures that specify the proper functions to be performed on workstations, the manner in which those functions are to be performed, and the physical attributes of the surroundings of workstations that access ePHI.

Translation: if a workstation can access ePHI, you need to define who can use it, what they can do on it, and where it should be physically located. A check-in kiosk in a waiting room has different requirements than a workstation in a locked back office. Screen positioning matters, patients in a waiting area should not be able to read a monitor displaying another patient’s records.

Workstation Security (164.310(c))

This required standard requires physical safeguards for all workstations that access ePHI. The goal is to restrict access to authorized users only. Cable locks, restricted-access areas, privacy screens, and automatic screen locks are common implementations.

Device and Media Controls (164.310(d)(1))

This standard governs the movement of hardware and electronic media that contain ePHI into and out of your facility, as well as the movement of these items within your facility:

Disposal (required), Implement policies and procedures for the final disposition of ePHI and the hardware or electronic media on which it is stored. You cannot throw a hard drive in a dumpster. Drives must be wiped, degaussed, or physically destroyed, and the process must be documented.
Media re-use (required), Implement procedures for removal of ePHI from electronic media before the media is made available for re-use.
Accountability (addressable), Maintain a record of the movements of hardware and electronic media and any person responsible for those items.
Data backup and storage (addressable), Create a retrievable, exact copy of ePHI when needed before movement of equipment.

The disposal specification is particularly important. OCR has settled cases specifically because organizations threw away or recycled devices without properly destroying the ePHI on them.

Technical Safeguards: Protecting the Data Itself

Technical safeguards are found in 45 CFR 164.312. These are the technology-based protections that control access to ePHI and protect it during storage and transmission. If administrative safeguards are the policies and physical safeguards are the locks, technical safeguards are the digital controls that enforce protection at the system level.

Access Control (164.312(a)(1))

This standard requires technical policies and procedures that allow only authorized persons or software programs to access electronic information systems containing ePHI. It includes four implementation specifications:

Unique user identification (required), Assign a unique name and/or number for identifying and tracking user identity. Shared logins are a compliance failure. Every user who accesses ePHI must have their own credentials.
Emergency access procedure (required), Establish procedures for obtaining necessary ePHI during an emergency. When systems are down, authorized users still need access to critical patient data.
Automatic logoff (addressable), Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. This prevents unauthorized access when a user walks away from a workstation.
Encryption and decryption (addressable), Implement a mechanism to encrypt and decrypt ePHI. While classified as addressable, encryption is one of the strongest protections available and is effectively required in most modern environments.

For a detailed breakdown of access control requirements, see our guide on ePHI access control best practices.

Audit Controls (164.312(b))

This required standard requires the implementation of hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

Audit logs must capture who accessed what, when, and what they did. These logs are essential for detecting unauthorized access, investigating incidents, and demonstrating compliance during an OCR audit. Generating logs is only half the requirement, you must also review them regularly. Logs that nobody reads provide no security benefit.

Integrity (164.312(c)(1))

This standard requires policies and procedures to protect ePHI from improper alteration or destruction:

Mechanism to authenticate electronic protected health information (addressable), Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. Checksums, digital signatures, and version control systems are common implementations.

Data integrity is often overlooked in favor of confidentiality, but it matters just as much. If a patient’s medication record is altered, whether by a malicious actor or a system error, the consequences can be clinical, not just regulatory.

Person or Entity Authentication (164.312(d))

This required standard requires the implementation of procedures to verify that a person or entity seeking access to ePHI is who they claim to be. Passwords, tokens, biometrics, and smart cards are all common authentication mechanisms. Under the proposed Security Rule updates, multi-factor authentication is moving toward a required specification for most access to ePHI.

Transmission Security (164.312(e)(1))

This standard protects ePHI when it is transmitted over an electronic communications network:

Integrity controls (addressable), Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection.
Encryption (addressable), Implement a mechanism to encrypt ePHI whenever deemed appropriate. In practice, encrypting data in transit is a baseline expectation in nearly every modern environment. TLS for email, HTTPS for web applications, and encrypted VPNs for remote access are standard implementations.

For a detailed discussion of current encryption requirements, see our HIPAA encryption requirements guide.

How the Three Safeguards Work Together

A common mistake is treating these three categories as independent checklists. They are not. They are interconnected layers of a single security program, and gaps in one category undermine the others.

Consider a practical example: an employee leaves your organization.

Administrative safeguards require a termination procedure that revokes their access to ePHI.
Physical safeguards require that their badge or key is collected so they can no longer enter areas where ePHI is stored.
Technical safeguards require that their user account is deactivated and their unique credentials no longer work.

If you handle two of these three and miss the third, you have a vulnerability. The former employee might not be able to log in remotely, but they can still walk through the front door and access a workstation. Or they have turned in their badge, but their EHR account is still active and accessible from any internet-connected device.

This is why the Security Rule requires a comprehensive, organization-wide approach. Compliance is not about checking boxes in isolation, it is about building a coherent security program where policies, physical controls, and technology reinforce each other.

Required vs. Addressable: A Quick Reference

Understanding the required/addressable distinction is critical for implementation planning. Here is a summary across all three safeguard categories:

Always required (no flexibility): - Risk analysis - Risk management - Sanction policy - Information system activity review - Assigned security responsibility - Security incident response and reporting - Data backup plan - Disaster recovery plan - Emergency mode operation plan - Business associate contracts - Workstation use policies - Workstation security - ePHI disposal procedures - Media re-use procedures - Unique user identification - Emergency access procedures - Audit controls - Person or entity authentication

Addressable (must implement, document an alternative, or document why neither applies): - Security reminders - Malicious software protection procedures - Log-in monitoring - Password management - Contingency plan testing - Applications and data criticality analysis - Authorization and supervision - Workforce clearance procedures - Termination procedures - Access authorization - Access establishment and modification - Facility contingency operations - Facility security plan - Access control and validation - Maintenance records - Device accountability - Data backup before equipment movement - Automatic logoff - Encryption and decryption (at rest) - Mechanism to authenticate ePHI - Integrity controls (in transit) - Encryption (in transit)

For each addressable specification, your organization must document its decision. “We decided not to implement it” without documentation and analysis is not addressable implementation, it is noncompliance. For more on documentation requirements, see our HIPAA documentation requirements guide.

Implementation: Where to Start

If your organization is building or rebuilding its safeguards program, here is a practical sequence:

Step 1: Conduct a Risk Assessment

Everything starts with the risk assessment. You cannot implement appropriate safeguards if you do not know what you are protecting, where it is, and what threatens it. The risk assessment identifies your ePHI environment, catalogs threats and vulnerabilities, and produces a prioritized list of risks. See our risk assessment service for guidance.

Step 2: Assign Responsibility

Designate a HIPAA Security Officer. Make sure this person has the authority and resources to implement the security program. In a small practice, this might be the office manager or the physician themselves. In a larger organization, it is typically a dedicated compliance or IT security role.

Step 3: Develop Policies and Procedures

Based on your risk assessment findings, develop written policies and procedures that address every standard and implementation specification in the Security Rule. These documents are not optional, they are required, and OCR will request them during any investigation.

Step 4: Implement Technical Controls

Deploy the technology-based protections: access controls, encryption, audit logging, automatic logoff, MFA, and transmission security. Work with your IT team or managed service provider to ensure configurations align with your written policies.

Step 5: Implement Physical Controls

Secure your facilities, workstations, and devices. This includes access controls for physical spaces, workstation positioning and security, and media disposal procedures.

Step 6: Train Your Workforce

Roll out security awareness training to all workforce members. Training must cover your specific policies and procedures, not just generic HIPAA content. Repeat training on a regular schedule and document attendance. See our guide on HIPAA training program implementation.

Step 7: Test, Monitor, and Update

Compliance is not a one-time project. Test your contingency plans. Review audit logs. Monitor for security incidents. Evaluate your program periodically and update it when your risk environment changes, which it will, regularly.

Common Mistakes Organizations Make

After years of working with healthcare organizations on HIPAA compliance, certain patterns repeat themselves. Here are the mistakes we see most frequently:

Treating the risk assessment as a formality. The risk assessment is the foundation. If it is a checkbox exercise rather than an honest evaluation, every safeguard built on top of it is misaligned.

Ignoring addressable specifications. Again: addressable does not mean optional. Failing to address an addressable specification, whether by implementing it, implementing an alternative, or documenting why neither applies, is a compliance failure.

No documentation. If it is not documented, it did not happen. OCR does not accept verbal assurances. Policies, procedures, risk assessments, training records, incident reports, and addressable specification decisions all must be in writing.

Focusing on technology and neglecting administration. Buying a firewall or subscribing to an encrypted email service does not make you compliant. Without the policies, training, and management oversight that administrative safeguards require, technology is just an expensive security blanket.

No incident response plan. When a breach occurs, every hour matters. Organizations without a tested incident response plan waste critical time figuring out what to do instead of doing it. If you need help building one, see our incident management services.

Stale business associate agreements. BAAs must be in place before a vendor touches ePHI, and they must be reviewed and updated when relationships or regulations change.

Frequently Asked Questions

Do all three safeguard categories apply to business associates?

Yes. Under the HITECH Act and the Omnibus Rule, business associates are directly subject to the HIPAA Security Rule, including all three safeguard categories. Business associates must implement administrative, physical, and technical safeguards appropriate to their operations. Additionally, if a business associate experiences a breach of unsecured PHI, their obligation under 45 CFR 164.410 is to notify the covered entity, not to manage the overall breach response.

What is the difference between required and addressable specifications?

Required specifications must be implemented as written. Addressable specifications require a documented assessment: if the specification is reasonable and appropriate for your environment, you implement it. If it is not, you document why and implement an equivalent alternative measure that achieves the same protective purpose. You cannot simply skip addressable specifications.

How often do we need to review our safeguards?

The Security Rule requires periodic evaluation under 45 CFR 164.308(a)(8), but it does not prescribe a specific frequency. Industry best practice is to conduct a formal review at least annually and whenever significant changes occur, such as new technology implementations, organizational changes, or security incidents. Organizations should consult legal counsel to determine the review frequency appropriate for their specific circumstances.

Can a small practice realistically implement all three safeguard categories?

Yes. The Security Rule is designed to be scalable. What constitutes reasonable and appropriate implementation depends on the size, complexity, and capabilities of your organization. A two-provider practice will not implement safeguards the same way a hospital system does, but it still must address every standard. The risk assessment helps right-size your approach. Our HIPAA consulting services work with practices of all sizes.

Is encryption required or addressable?

Encryption is classified as addressable for both data at rest (45 CFR 164.312(a)(2)(iv)) and data in transit (45 CFR 164.312(e)(2)(ii)). However, in virtually every modern healthcare environment, encryption is the most reasonable and appropriate way to protect ePHI. Organizations that choose not to encrypt must document why and implement an equivalent alternative, a position that is very difficult to defend. Additionally, under the Breach Notification Rule, properly encrypted data is not considered “unsecured PHI,” meaning a loss or theft of encrypted data may not trigger breach notification requirements. For current specifics, see our HIPAA encryption requirements guide.

Where do the 2026 Security Rule updates affect the three safeguards?

The proposed updates to the HIPAA Security Rule strengthen requirements across all three categories. Key changes include removing the required/addressable distinction (making all specifications required), mandating specific technical controls like multi-factor authentication and encryption, requiring more detailed asset inventories, and establishing new requirements for patch management and network segmentation. For a complete breakdown, see our article on new HIPAA Security Rule changes. Organizations should consult legal counsel to understand how proposed rule changes may affect their specific compliance obligations.

Conclusion

The three HIPAA safeguard categories, administrative, physical, and technical, are the structural framework of the Security Rule. They are not optional modules you can pick from. They are interdependent requirements that must be implemented together, documented thoroughly, and maintained continuously.

Administrative safeguards establish the people, policies, and processes that govern your security program. Physical safeguards protect the real-world spaces and equipment where ePHI lives. Technical safeguards enforce protection at the system and data level. Together, they form a security program capable of protecting patient data, and protecting your organization from enforcement actions.

If your organization needs help assessing your current safeguards, identifying gaps, or building a compliance program from the ground up, One Guy Consulting can help. We work with covered entities and business associates of all sizes, from solo practices to multi-location organizations, to build HIPAA compliance programs that actually work. Start with a risk assessment, it is the foundation everything else is built on.

If you have specific questions about how the safeguards apply to your practice, we also offer compliance consulting tailored to medical practices.

Sources

Chuck Weiselberg, C.H.P.

HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)

Chuck Weiselberg is a C.H.P. (Certified HIPAA Professional) and Founder of One Guy Consulting, a HIPAA compliance SaaS solution. He has 20+ years experience supporting customers in achieving their goals, with 10 of those years' experience as a HIPAA compliance S.M.E. (Subject Matter Expert).

He has helped support thousands of users at healthcare organizations, where he aided Compliance Officers in implementing sensible compliance solutions without any of them failing an audit, or receiving a fine. This success is attributable to a repeatable and proven process, realistic and applicable policies, and intuitive compliance management software that requires no technological know-how.

Learn more about Chuck Weiselberg, C.H.P.

The 3 HIPAA Safeguards: Administrative, Physical, and Technical, A Plain English Guide