A radiology practice in Tennessee got hit with a $3 million penalty because they let a former employee keep access to a cloud server holding over 300,000 patient records. The technical safeguard that would have prevented it? A simple access termination procedure. That's one small piece of what the HIPAA Security Rule requires — and if you've ever stared at a compliance exam wondering which of the following are general security rules under HIPAA, this breakdown is built for you.

The Security Rule isn't a single checklist. It's an interconnected framework of safeguards designed to protect electronic protected health information (ePHI). Understanding its structure — and what HHS actually enforces — separates organizations that pass audits from those that write settlement checks.

What the HIPAA Security Rule Actually Covers

The HIPAA Security Rule, codified at 45 CFR Part 164, Subpart C, applies to every covered entity and business associate that creates, receives, maintains, or transmits ePHI. Unlike the Privacy Rule, which governs all forms of PHI, the Security Rule zeroes in on electronic data.

The general requirements live in 45 CFR § 164.306. They demand that covered entities:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.
  • Protect against any reasonably anticipated threats or hazards to the security of ePHI.
  • Protect against any reasonably anticipated impermissible uses or disclosures.
  • Ensure workforce compliance with the Security Rule.

Those four bullets are the foundation. Everything else in the Security Rule flows from them.

The Three Safeguard Categories You Must Know

When someone asks which of the following are general security rules under HIPAA, the answer almost always maps to three categories of safeguards. Each one addresses a different dimension of ePHI protection.

Administrative Safeguards

Administrative safeguards make up over half the Security Rule's requirements. They cover the policies, procedures, and human-centered processes your organization needs. Key standards include:

  • Risk Analysis and Risk Management: You must conduct a thorough, documented assessment of every potential risk to ePHI. Not once — continuously.
  • Security Personnel: You need a designated security official responsible for developing and implementing your security policies.
  • Workforce Training: Every member of your workforce who touches ePHI must receive training on your security policies and procedures. This isn't optional, and OCR checks for documentation.
  • Contingency Planning: Data backup plans, disaster recovery plans, and emergency mode operation plans are all required standards.
  • Evaluation: Periodic technical and nontechnical evaluations to confirm your policies still meet Security Rule requirements.

I've seen organizations spend six figures on firewalls while having zero documented risk analyses. OCR doesn't care how much you spent on technology if you can't produce the paperwork.

Physical Safeguards

Physical safeguards protect the actual hardware, buildings, and equipment that store or provide access to ePHI. Standards include:

  • Facility Access Controls: Limit physical access to your electronic information systems and the facilities that house them.
  • Workstation Use and Security: Define how workstations should be used and implement physical protections for each one.
  • Device and Media Controls: Govern the disposal, reuse, and movement of hardware and electronic media containing ePHI.

A hospital I consulted with once had servers in an unlocked utility closet accessible to janitorial staff. That's a textbook physical safeguard failure — and exactly the kind of thing OCR investigators flag during audits.

Technical Safeguards

Technical safeguards address the technology and related policies that protect ePHI and control access. Standards include:

  • Access Controls: Unique user IDs, emergency access procedures, automatic logoff, and encryption/decryption.
  • Audit Controls: Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI.
  • Integrity Controls: Policies and procedures to ensure ePHI isn't improperly altered or destroyed.
  • Transmission Security: Measures to guard against unauthorized access to ePHI during electronic transmission — including encryption.

The encryption question comes up constantly. Under the Security Rule, encryption is an addressable implementation specification, not a blanket requirement. But "addressable" doesn't mean "optional." You must either implement it or document why an equivalent alternative is reasonable and appropriate.

Required vs. Addressable: The Distinction That Trips Everyone Up

Every implementation specification in the Security Rule is labeled either required or addressable. Required means you do it, full stop. Addressable means you assess whether it's reasonable and appropriate for your environment.

If it's not reasonable, you must document why and implement an equivalent alternative measure. If the standard can be met without any additional safeguard, you document that too. What you cannot do is ignore it.

OCR has penalized organizations specifically for failing to address addressable specifications. In 2018, the University of Texas MD Anderson Cancer Center lost a legal challenge after a $4.3 million penalty related in part to the lack of encryption on portable devices — an addressable specification they never properly evaluated.

Which of the Following Are General Security Rules? A Quick-Reference Answer

If you encounter this question on a compliance exam or workforce training quiz, here's the direct answer:

The general security rules under HIPAA require covered entities and business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI; protect against reasonably anticipated threats; prevent impermissible uses or disclosures; and ensure workforce compliance. These requirements are found in the Security Rule at 45 CFR § 164.306.

Items that are not part of the Security Rule's general requirements include provisions specific to the Privacy Rule (like the minimum necessary standard for non-electronic PHI) or the Breach Notification Rule (like the 60-day notification deadline to HHS).

The $1.5 Million Risk Analysis Failure You Should Study

In 2023, OCR settled with Banner Health for $1.25 million after a 2016 breach affected nearly 3 million individuals. Among the findings: Banner Health had failed to conduct an enterprise-wide risk analysis — the most fundamental administrative safeguard in the Security Rule.

This pattern repeats constantly in OCR enforcement actions. Between 2008 and 2024, risk analysis failures appeared in the majority of settlements and civil monetary penalties listed on the HHS breach settlement page. If your organization hasn't completed a current, documented risk analysis, everything else you're doing is built on sand.

How Workforce Training Connects to Every Safeguard

Administrative safeguards require workforce training. Technical safeguards fail when staff share passwords or fall for phishing. Physical safeguards crumble when someone props open a server room door.

Every safeguard category depends on the people who interact with your systems daily. That's why investing in structured HIPAA compliance training isn't just an administrative checkbox — it's the connective tissue holding your entire Security Rule program together.

I've audited organizations where the firewall cost $200,000 and the workforce training budget was zero. Those are the organizations that end up on OCR's wall of shame. Your technology is only as strong as the person sitting in front of the screen.

Building a Security Rule Program That Actually Works

Here's the framework I recommend to every client:

  • Start with a risk analysis. Document every system that touches ePHI. Identify threats. Rate likelihood and impact. This is step one, always.
  • Assign a security official. One person owns the program. They don't have to do everything alone, but accountability must be clear.
  • Implement safeguards across all three categories. Don't over-index on technical controls while ignoring policies and physical access.
  • Train every workforce member. Role-based training through a comprehensive HIPAA training catalog ensures clinical staff, IT, billing, and leadership all understand their responsibilities.
  • Document everything. The Security Rule requires you to retain policies and documentation for six years. If it isn't written down, it didn't happen.
  • Reassess regularly. Threats evolve. Your risk analysis from 2022 doesn't cover the AI tools your staff started using in 2025.

What OCR Looks for in 2026

OCR's enforcement priorities have shifted toward proactive audits and investigations triggered by breach reports. In my experience, investigators zero in on three things first: the risk analysis, workforce training records, and business associate agreements.

The proposed Security Rule updates from HHS in late 2024 signaled an intent to eliminate the required/addressable distinction and make nearly all specifications mandatory. Whether those changes finalize in 2026 or later, the direction is clear: the bar is rising.

Your organization doesn't get credit for good intentions. OCR evaluates what you documented, what you implemented, and what your workforce actually does when no one is watching.

The general security rules under HIPAA aren't abstract concepts — they're the operational backbone of every compliant organization. Master the three safeguard categories, invest in your people through rigorous workforce training, and document every decision. That's how you stay off OCR's enforcement list and keep patient data where it belongs.