In 2023, OCR settled with a healthcare system for $1.3 million after investigators found the organization had failed to implement even basic safeguards for electronic protected health information (ePHI). The root cause wasn't a sophisticated cyberattack — it was the absence of a current risk analysis and a patchwork of security controls that had never been formally evaluated. If you're asking what safeguards does the HIPAA Security Rule require, that enforcement action illustrates exactly why the answer matters for every covered entity and business associate.

The Three Safeguard Categories Under the HIPAA Security Rule

The HIPAA Security Rule, codified at 45 CFR Part 164, Subparts A and C, organizes its protections into three categories: administrative safeguards, physical safeguards, and technical safeguards. Each category contains a mix of required and addressable implementation specifications.

"Addressable" does not mean optional. If a specification is addressable, your organization must assess whether it's reasonable and appropriate. If you decide it isn't, you must document why and implement an equivalent alternative measure. OCR has penalized organizations that treated "addressable" as "ignorable."

Understanding what safeguards the HIPAA Security Rule requires starts with recognizing that all three categories work together. A failure in any one area can expose your entire ePHI environment.

Administrative Safeguards: The Foundation Most Organizations Underestimate

Administrative safeguards account for more than half of the Security Rule's requirements — and they're where OCR finds the most violations. These are the policies, procedures, and organizational actions that govern your security program.

The centerpiece is the risk analysis requirement (§164.308(a)(1)). Every covered entity and business associate must conduct a thorough, organization-wide assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This isn't a one-time exercise. OCR expects risk analysis to be ongoing and updated as your environment changes.

Beyond risk analysis, administrative safeguards include:

  • Risk management — implementing measures sufficient to reduce identified risks to a reasonable level
  • Workforce training — providing security awareness training to all members of your workforce, including management
  • Information access management — applying the minimum necessary standard to ePHI access based on job role
  • Security incident procedures — identifying, responding to, and documenting security incidents
  • Contingency planning — establishing data backup, disaster recovery, and emergency mode operation plans
  • Business associate contracts — ensuring every business associate relationship is governed by a compliant agreement under the Omnibus Rule

In my work with covered entities, workforce training is the requirement most likely to be checked off superficially. Sending a single email once a year does not meet the standard. OCR expects documented, role-based training that addresses the specific risks your organization faces. Investing in structured HIPAA training and certification ensures your workforce can demonstrate competency — not just attendance.

Physical Safeguards: Controlling Access to Facilities and Devices

Physical safeguards address access to the physical locations and hardware where ePHI is created, received, maintained, or transmitted. These protections apply to your data centers, offices, workstations, and any portable devices your workforce uses.

Key requirements include:

  • Facility access controls — limiting physical access to electronic information systems based on authorized roles (§164.310(a))
  • Workstation use and security — specifying the proper functions and physical attributes of workstations accessing ePHI, and restricting access to authorized users
  • Device and media controls — governing the receipt, removal, movement, and disposal of hardware and electronic media containing ePHI

A common gap I see: organizations that encrypt laptops but have no documented policy for disposing of old hard drives or USB devices. OCR investigated multiple breaches tied to improper disposal of devices containing unencrypted PHI. Physical safeguards require end-to-end control over every piece of hardware that touches ePHI.

Technical Safeguards: Protecting ePHI in Your Systems and Networks

Technical safeguards are the technology-based controls and the policies governing their use. These are the protections most people think of first — but they're only effective when layered on top of strong administrative and physical foundations.

The Security Rule's technical safeguards include:

  • Access controls — assigning unique user IDs, implementing emergency access procedures, enabling automatic logoff, and using encryption and decryption mechanisms (§164.312(a))
  • Audit controls — implementing hardware, software, and procedural mechanisms to record and examine access and activity in systems containing ePHI (§164.312(b))
  • Integrity controls — protecting ePHI from improper alteration or destruction, with mechanisms to authenticate electronic PHI
  • Transmission security — guarding against unauthorized access to ePHI transmitted over electronic networks, including encryption
  • Authentication — verifying that a person or entity seeking access to ePHI is who they claim to be

Encryption is addressable, not required, under the Security Rule — a distinction that surprises many organizations. However, if you choose not to encrypt ePHI at rest or in transit, you must document why and describe the equivalent measure you've implemented. As a practical matter, encryption has become the de facto standard, and failing to encrypt significantly increases your exposure under the Breach Notification Rule: unencrypted PHI that is accessed triggers notification obligations that encrypted data does not.

How OCR Evaluates Your Safeguards During an Investigation

When OCR opens an investigation — whether triggered by a breach report, a complaint, or a compliance review — they follow a predictable pattern. They request your risk analysis first. Then they examine policies and procedures tied to the specific HIPAA violation alleged. Finally, they look for evidence that safeguards were implemented, not just documented.

The difference between a corrective action plan and a seven-figure penalty often comes down to whether your organization can show it took safeguards seriously before the incident. Documentation is your evidence. Training records, access logs, incident response reports, and business associate agreements all demonstrate a culture of compliance.

Build a Safeguard Strategy That Survives OCR Scrutiny

Compliance isn't achieved by purchasing a firewall or posting a Notice of Privacy Practices. What safeguards does the HIPAA Security Rule require? It requires a coordinated, documented, and continuously maintained program spanning administrative, physical, and technical controls — all anchored by a current risk analysis.

Start by evaluating where your gaps are. Map every system that touches ePHI. Review your business associate agreements. Update your contingency plans. And ensure every member of your workforce — from front-desk staff to C-suite executives — understands their role in protecting protected health information.

If your organization needs a structured path to compliance, HIPAA Certify's workforce compliance program provides the training, documentation, and accountability framework that OCR expects to see. The organizations that invest in safeguards before an incident are the ones that survive investigations with their reputation — and their finances — intact.