If your company handles electronic protected health information (ePHI) — either as a covered entity (hospital, clinic, insurer) or as a business associate (software vendor, cloud provider, billing service) — the HIPAA Security Rule mandates specific safeguards. Violations carry civil penalties of $100 to $50,000 per violation, with annual caps of $1.85 million per violation category.

This guide walks through the Security Rule's three safeguard categories and the specific requirements under each that most vendors fail to address fully.

Who This Applies To

The Security Rule applies to:

  • Covered Entities — Healthcare providers, health plans, healthcare clearinghouses
  • Business Associates — Any vendor, partner, or subcontractor that creates, receives, maintains, or transmits ePHI on behalf of a covered entity
  • Subcontractors of Business Associates — If your vendor's vendor touches ePHI, they're also bound by the Rule

If you've signed a Business Associate Agreement (BAA), the Security Rule applies to you. If a covered entity is asking you to sign one, everything in this checklist is now your responsibility.

Administrative Safeguards

Administrative safeguards are policies, procedures, and training programs. They're often underdocumented by technical teams who focus on infrastructure controls.

  • Security Officer — You must designate a HIPAA Security Officer (can be an employee with another primary role) responsible for policy development and compliance.
  • Risk Analysis — Conduct and document a thorough assessment of the potential risks and vulnerabilities to ePHI. This must be updated whenever there's a significant environmental or operational change.
  • Risk Management — Implement security measures to reduce identified risks to a reasonable and appropriate level.
  • Workforce Training — All employees with access to ePHI must complete HIPAA security awareness training. Document completion records.
  • Access Management — Formal procedures for granting and terminating employee access to ePHI systems, including what happens when someone leaves the company.
  • Contingency Plan — Data backup plan, disaster recovery plan, emergency mode operation plan, testing procedures.
  • Business Associate Agreements — You must have signed BAAs with all your own subcontractors who touch ePHI.

Physical Safeguards

Physical safeguards apply to both physical facilities and the workstations and devices used to access ePHI. Cloud-native companies often underestimate physical safeguard requirements for employee devices.

  • Facility Access Controls — Documented procedures for controlling physical access to systems that contain ePHI. If you're cloud-only, your data center provider's SOC 2 report or ISO 27001 cert satisfies most of this — but you still need the documentation showing you evaluated and rely on it.
  • Workstation Use Policy — Written policy covering the proper functions and manner of use for workstations accessing ePHI.
  • Workstation Security — Physical safeguards for workstations (screen locks, clean desk, no unattended access). Remote work policies must address this.
  • Device and Media Controls — Procedures for the receipt and removal of hardware and electronic media containing ePHI, including data disposal (wiping, degaussing, physical destruction).

Technical Safeguards

Technical safeguards are the controls most engineering teams instinctively focus on — but even here, documentation requirements catch companies off guard.

  • Access Control — Unique user identification for every user (no shared accounts), automatic logoff after inactivity, encryption and decryption of ePHI.
  • Audit Controls — Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain ePHI. You need logs — and you need to review them.
  • Integrity — Mechanisms to authenticate ePHI and ensure it hasn't been altered or destroyed in an unauthorized manner. Checksums, digital signatures, or equivalent controls.
  • Authentication — Verification that the person seeking access to ePHI is who they claim to be. MFA for any remote or internet-accessible access to ePHI systems is effectively required under modern OCR enforcement guidance.
  • Transmission Security — Encryption of ePHI in transit. TLS 1.2+ for all ePHI transmission. Do not transmit ePHI over unencrypted email.

The Most Common Violations

OCR enforcement actions over the last five years consistently show the same failure patterns:

  1. No risk analysis — The most frequently cited violation. "We have good security" is not a risk analysis. You need a documented, systematic assessment.
  2. Insufficient access controls — Former employees with active credentials, shared administrative accounts, lack of role-based access limiting ePHI exposure to minimum necessary.
  3. Unencrypted ePHI at rest — Laptops without full-disk encryption that get stolen or lost are a common source of breach reports.
  4. No BAAs with subcontractors — Particularly common with cloud providers. AWS, Google Cloud, and Azure all offer BAAs — but you have to sign them.
  5. Failure to respond to security incidents — Not having a documented incident response procedure and failing to conduct post-incident analysis.

Where to Start

If you haven't done a formal HIPAA risk analysis, that's step one. Not because it's the most impactful control — it's because every other remediation decision flows from it. You can't prioritize what you haven't assessed.

Once you have your risk analysis, the fastest wins are usually: MFA everywhere ePHI is accessible, access termination procedures that actually get followed, and documented workforce training with completion records. None of these require significant infrastructure investment — they require process and documentation.

The technical controls (encryption, audit logging, transmission security) are table stakes for any modern software platform. If you're already operating a cloud-native SaaS product with proper security hygiene, you likely have 70–80% of the technical safeguards already. The gap is almost always the documentation, policy, and process layer.