In February 2024, OCR announced a $480,000 settlement with a New England dermatology practice that failed to implement even basic security measures after a reported breach. The investigation revealed gaps across all three safeguard categories required by the HIPAA Security Rule. When organizations search for guidance on HIPAA safeguards — often misspelled as "HIPPA safeguards" — they're looking for exactly what this practice lacked: a clear, actionable understanding of what the Security Rule actually demands.

What Are HIPAA Safeguards Under the Security Rule?

The HIPAA Security Rule, codified at 45 CFR Part 164, Subparts A and C, requires every covered entity and business associate to implement safeguards that protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). These safeguards fall into three distinct categories: administrative, physical, and technical.

Each category contains both required and addressable implementation specifications. "Addressable" does not mean optional — a point OCR has reinforced in enforcement action after enforcement action. It means your organization must assess whether the specification is reasonable and appropriate, and if not, document why and implement an equivalent alternative.

Administrative Safeguards: Where Most HIPAA Violations Begin

In my work with covered entities, administrative safeguards are consistently the weakest link. They account for more than half of the Security Rule's implementation specifications and cover the policies, procedures, and workforce management practices that form your compliance foundation.

The key administrative safeguard requirements include:

  • Risk analysis and risk management — conducting a thorough assessment of potential threats to ePHI and implementing measures to reduce those risks to a reasonable level. OCR has cited inadequate risk analysis in the majority of its enforcement settlements.
  • Workforce training — ensuring every member of your workforce understands HIPAA policies and procedures relevant to their role. Comprehensive HIPAA training and certification programs are essential, not a one-time checkbox.
  • Assigned security responsibility — designating a security official responsible for developing and implementing your security policies.
  • Information access management — applying the minimum necessary standard so that workforce members access only the PHI they need for their job functions.
  • Contingency planning — establishing data backup, disaster recovery, and emergency operations plans to ensure ePHI availability during a crisis.

Healthcare organizations consistently struggle with the risk analysis requirement. OCR doesn't accept a checklist or a one-time scan. They expect a comprehensive, documented process that is revisited regularly as your environment changes.

Physical Safeguards: Protecting the Hardware and Facilities

Physical safeguards address access to the actual facilities, workstations, and devices that store or transmit ePHI. This is where many smaller practices and business associates fall short because they assume physical security only applies to data centers.

The Security Rule requires:

  • Facility access controls — policies governing who can physically enter areas where ePHI is stored or accessed, including visitor logs, locked server rooms, and badge access systems.
  • Workstation use and security — defining the proper use of workstations and implementing physical protections like screen privacy filters, automatic locking, and positioning monitors away from public view.
  • Device and media controls — establishing procedures for the receipt, removal, transfer, and disposal of hardware and electronic media containing ePHI. This includes wiping hard drives before disposal and tracking portable devices.

A 2023 OCR investigation into a stolen unencrypted laptop reinforced why physical HIPAA safeguards cannot be overlooked. The resulting penalty exceeded $1 million — a preventable loss had basic device controls been in place.

Technical Safeguards: Controlling Access to ePHI Systems

Technical safeguards are the technology-based protections your organization deploys to control access to ePHI and protect it during transmission. These include:

  • Access controls — assigning unique user IDs, enabling emergency access procedures, implementing automatic logoff, and using encryption and decryption mechanisms.
  • Audit controls — deploying hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI.
  • Integrity controls — implementing policies and technology to ensure ePHI is not improperly altered or destroyed.
  • Transmission security — protecting ePHI when it is transmitted over electronic networks, typically through encryption. While encryption is an addressable specification, OCR has made clear that transmitting unencrypted PHI over open networks is almost never justifiable.

Your technical safeguards must work in concert with your administrative policies. Access controls mean nothing if your workforce doesn't understand how to use them properly or why they exist.

The Safeguard Gap That Triggers OCR Enforcement

OCR doesn't typically investigate organizations that have a minor policy imperfection. They pursue organizations that have systemic gaps — missing risk analyses, untrained staff, absent encryption, and no documentation to show compliance efforts. Between 2019 and 2024, OCR resolved over 150 cases resulting in corrective action plans or civil monetary penalties, and inadequate safeguards were a factor in virtually every one.

The most dangerous assumption your organization can make is that implementing safeguards in one category compensates for gaps in another. A state-of-the-art firewall (technical) doesn't help when an untrained receptionist emails a patient's full medical record to the wrong address (administrative). Encrypted laptops (technical) don't matter when the server room door is propped open with a chair (physical).

Building a Complete HIPAA Safeguards Program

Start with a current, comprehensive risk analysis. Document every identified risk, your mitigation strategy, and your timeline for implementation. Then address each safeguard category systematically:

  • Review and update administrative policies at least annually.
  • Conduct physical security walkthroughs of every location where ePHI is accessed.
  • Test technical controls, including access logs, encryption configurations, and backup restoration procedures.
  • Invest in ongoing workforce HIPAA compliance programs that go beyond annual slide decks — your workforce is both your greatest vulnerability and your strongest defense.

Document everything. In an OCR investigation, your documentation is your evidence. If it isn't written down, it didn't happen.

Don't Let a Common Misspelling Mask a Critical Requirement

Whether you searched for "HIPPA safeguards" or "HIPAA safeguards," the obligation is the same. The Security Rule requires your covered entity or business associate to implement and maintain all three safeguard categories — administrative, physical, and technical — to protect the PHI entrusted to your organization. The stakes are too high, and OCR's enforcement posture too aggressive, to leave any of these categories unaddressed.