A community hospital in Yakima, Washington lost an unencrypted laptop in 2013. That single device held the electronic protected health information of 524 patients. The Office for Civil Rights investigated, found systemic failures in risk analysis and device controls, and the result was a $140,000 settlement with Community Health Systems. The laptop wasn't the problem. The problem was that nobody at that organization fully understood what the HIPAA Security Rule required of them — or that it applied to every piece of ePHI they touched.

If you've ever searched "the HIPAA Security Rule applies to which of the following," you're asking the right question. And the answer is more specific — and more far-reaching — than most people expect.

The HIPAA Security Rule Applies to Which of the Following? A Direct Answer

The HIPAA Security Rule applies specifically to electronic protected health information (ePHI) created, received, maintained, or transmitted by covered entities and their business associates. That's it. Not paper records. Not verbal conversations. Those fall under the Privacy Rule. The Security Rule is laser-focused on ePHI.

Covered entities include three categories defined by HHS:

  • Health plans — health insurance companies, HMOs, employer-sponsored group health plans, Medicare, and Medicaid
  • Health care clearinghouses — entities that process nonstandard health information into standard formats
  • Health care providers — any provider who transmits health information electronically in connection with a HIPAA-covered transaction (claims, eligibility inquiries, referral authorizations, etc.)

Business associates — cloud vendors, billing companies, IT contractors, shredding services — are also directly liable under the Security Rule thanks to the HITECH Act of 2009. If your organization handles ePHI on behalf of a covered entity, you're on the hook.

What the Security Rule Does NOT Apply To

This is where I see confusion constantly. The Security Rule does not apply to PHI in paper form. It does not apply to oral communications. A nurse discussing a patient's diagnosis in a hallway is a Privacy Rule issue, not a Security Rule issue.

It also doesn't apply to employers acting in their capacity as employers — even if they have access to employee health data through workers' compensation or FMLA. The employer isn't a covered entity just because it has health information. The group health plan it sponsors, however, is a covered entity.

And here's one that trips up small practices: if a health care provider never conducts electronic transactions — never submits an electronic claim, never checks eligibility electronically — the Security Rule technically doesn't apply. In 2026, that scenario is nearly extinct. Almost every provider conducts at least one covered electronic transaction.

The Three Safeguard Categories You're Required to Implement

The Security Rule organizes its requirements into three categories of safeguards. Each one contains both "required" and "addressable" implementation specifications. Addressable doesn't mean optional — it means you must implement it or document why an equivalent alternative is reasonable.

Administrative Safeguards (§ 164.308)

These are the policies, procedures, and workforce management practices that govern ePHI access. They include risk analysis, workforce training, contingency planning, and assigning a security official. In my experience, administrative safeguards are where most organizations fail first. They skip the risk analysis, or they treat it as a one-time checkbox instead of an ongoing process.

The 2024 enforcement action against Heritage Valley Health System is a case study. OCR's investigation after a ransomware attack found failures in risk analysis and risk management — squarely in the administrative safeguard category. The settlement cost Heritage Valley $950,000.

Physical Safeguards (§ 164.310)

Physical safeguards control physical access to systems that store ePHI. Think facility access controls, workstation use policies, workstation security, and device and media controls. If your staff works remotely — and in 2026, many do — physical safeguards extend to home offices. That means your remote workforce needs clear guidance on securing devices, locking screens, and restricting access to household members.

Our Working from Home & PHI training walks through exactly what physical and technical safeguards apply to remote environments. It's one of the most practical courses we offer because the threat landscape for home-based work is completely different from a locked server room.

Technical Safeguards (§ 164.312)

Technical safeguards are the technology-based controls: access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Encryption falls here. So does automatic logoff. So do the audit logs that OCR investigators pull first when they show up after a breach report.

This category is evolving fast. Organizations now use AI-powered tools that process ePHI for clinical decision support, billing automation, and patient communication. If your organization is integrating AI into workflows that touch ePHI, your technical safeguards must account for how that data flows to and from those tools. Our Using AI Tools & PHI course covers this exact intersection — where the Security Rule meets machine learning models and third-party AI platforms.

The $1.5 Million Mistake: Skipping the Risk Analysis

If there's one requirement OCR enforces more than any other, it's the risk analysis under § 164.308(a)(1). I've reviewed dozens of resolution agreements, and the failure to conduct an adequate, organization-wide risk analysis appears in nearly every single one.

In 2018, Fresenius Medical Care North America agreed to pay $3.5 million after OCR found that five separate breach incidents traced back to failures in risk analysis and risk management. Five breaches. One root cause. The HHS resolution agreement lays it out clearly.

Your risk analysis must cover every system that creates, receives, maintains, or transmits ePHI. Every location. Every device. Every vendor connection. If you completed one in 2022 and haven't updated it, you're out of compliance right now.

Pharmacy Teams Face Unique Security Rule Pressure

Pharmacies are covered entities, full stop. They transmit claims electronically. They maintain ePHI in dispensing systems, patient profiles, and prescription management platforms. Yet I've worked with independent pharmacies that had no written security policies, no designated security official, and no risk analysis on file.

The Security Rule applies to your pharmacy with the same force it applies to a 500-bed hospital. The difference is that pharmacies often lack dedicated compliance staff. That's why role-specific training matters. Our HIPAA & HITECH for Pharmacy Professionals course addresses the Security Rule requirements that pharmacists, technicians, and pharmacy managers need to understand in their daily work.

Business Associates: You're Not Off the Hook

Before HITECH, business associates could hide behind their covered entity clients. Not anymore. Since 2013, business associates are directly subject to the Security Rule's requirements and directly liable for violations. OCR has made this painfully clear through enforcement.

In 2022, business associate CHSPSC LLC (a management company for Community Health Systems) paid $2.3 million after a breach affecting over 6 million individuals. The investigation found failures in risk analysis, information system activity review, and access controls — all Security Rule requirements that applied directly to the business associate.

If you're a business associate reading this, you need your own risk analysis, your own policies, your own training program, and your own incident response plan. Your BAA doesn't transfer compliance — it confirms your independent obligations.

What OCR Actually Looks At During an Investigation

I've spoken with compliance officers who've been through OCR investigations, and the pattern is consistent. OCR requests documentation in a specific order:

  • Your most recent risk analysis and risk management plan
  • Policies and procedures related to the specific alleged violation
  • Evidence of workforce training (dates, topics, attendance records)
  • Audit logs and access reports for the systems involved
  • Business associate agreements
  • Breach notification documentation

If you can't produce these documents, you're already in trouble. OCR doesn't accept "we do that informally" or "it's in our employee handbook somewhere." They want dated, specific, written evidence.

The full regulatory text is available at 45 CFR Part 164, Subpart C on the Cornell Law Institute site. Bookmark it. Reference it. Build your compliance program around it.

The Bottom Line for 2026

The HIPAA Security Rule applies to ePHI — and only ePHI — held by covered entities and business associates. It requires administrative, physical, and technical safeguards scaled to your organization's size, complexity, and risk environment. The penalties for getting it wrong range from corrective action plans to multimillion-dollar settlements.

Your organization doesn't need to be perfect. But it does need to be demonstrably trying. Documented risk analyses, current policies, trained workforce, functioning access controls — these are the basics OCR expects. Miss them, and you're one stolen laptop, one phishing email, or one disgruntled employee away from a very expensive lesson.

Start with your risk analysis. Train your people. Document everything. And if you need structured training that covers the Security Rule in practical terms, explore the full course catalog at HIPAACertify to find the right fit for your team.