In February 2024, OCR announced a $4.75 million settlement with Montefiore Medical Center after a former employee stole electronic protected health information (ePHI) of over 12,000 patients. The breach traced back to failures in access controls, audit logging, and risk analysis — all requirements under the HIPAA Security Rule. This case illustrates exactly what the HIPAA Security Rule establishes safeguards to protect: electronic protected health information in all its forms, wherever your organization creates, receives, maintains, or transmits it.

What Does the HIPAA Security Rule Establish Safeguards to Protect?

The answer is specific and narrow in a way that surprises many healthcare professionals. The HIPAA Security Rule, codified at 45 CFR Part 164, Subparts A and C, establishes national standards requiring covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

Not all PHI. Not paper records. Not verbal disclosures. The Security Rule applies exclusively to protected health information that is created, stored, transmitted, or received in electronic form. Paper records and oral communications fall under the Privacy Rule's broader protections.

This distinction matters because it defines the scope of your compliance obligations. Every workstation, server, mobile device, cloud platform, email system, and EHR application that touches ePHI must be secured under these standards.

The Three Safeguard Categories Every Covered Entity Must Implement

The Security Rule organizes its requirements into three categories of safeguards. Each contains both required and addressable implementation specifications. Understanding the difference is critical — "addressable" does not mean "optional." It means your organization must implement the specification, implement an equivalent alternative, or document why neither is reasonable and appropriate.

Administrative Safeguards (45 CFR § 164.308)

Administrative safeguards account for more than half of the Security Rule's requirements. They govern the policies, procedures, and workforce actions that protect ePHI. Key requirements include:

  • Risk analysis and risk management: You must conduct a thorough assessment of potential risks and vulnerabilities to ePHI and implement measures to reduce them to a reasonable level.
  • Workforce training: Every member of your workforce who handles ePHI must receive training on your security policies and procedures.
  • Security management process: Your organization needs a designated security official responsible for developing and implementing security policies.
  • Contingency planning: You must establish data backup, disaster recovery, and emergency mode operation plans.
  • Information access management: Access to ePHI must be limited based on the minimum necessary standard and role-based authorization.

OCR enforcement actions consistently target risk analysis failures more than any other requirement. If your organization has not conducted a comprehensive, documented risk analysis within the past year, you are exposed.

Physical Safeguards (45 CFR § 164.310)

Physical safeguards address access to the physical facilities, workstations, and devices where ePHI resides. Requirements include:

  • Facility access controls: Limit physical access to electronic information systems through locked doors, security badges, visitor logs, and surveillance where appropriate.
  • Workstation use and security: Define the proper functions of workstations that access ePHI and implement physical protections to restrict access to authorized users.
  • Device and media controls: Establish policies for disposing of, reusing, and moving hardware and electronic media containing ePHI. This includes proper sanitization of hard drives and encryption of portable devices.

Healthcare organizations consistently struggle with device and media controls. A single unencrypted laptop left in a vehicle can trigger a reportable breach under the Breach Notification Rule.

Technical Safeguards (45 CFR § 164.312)

Technical safeguards are the technology-based protections built into systems that store or transmit ePHI:

  • Access controls: Implement unique user identification, emergency access procedures, automatic logoff, and encryption mechanisms.
  • Audit controls: Deploy hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI.
  • Integrity controls: Implement policies and procedures to ensure ePHI is not improperly altered or destroyed.
  • Transmission security: Protect ePHI during electronic transmission over networks, including encryption where appropriate.
  • Authentication: Verify the identity of any person or entity seeking access to ePHI.

The Montefiore case mentioned above failed on multiple technical safeguards — particularly audit controls that could have detected unauthorized access months earlier.

Why Risk Analysis Is the Foundation of Every Security Safeguard

You cannot implement meaningful safeguards without first understanding what you are protecting and where the vulnerabilities exist. The Security Rule's risk analysis requirement at § 164.308(a)(1)(ii)(A) is the starting point for all safeguard decisions.

A proper risk analysis identifies every system that touches ePHI, evaluates current threats and vulnerabilities, assesses the likelihood and impact of a breach, and documents the findings. From there, your risk management plan determines which safeguards to implement and how.

OCR has made clear — through enforcement actions, published guidance, and audit protocols — that a risk analysis cannot be a checkbox exercise. It must be thorough, documented, and updated regularly as your technology environment changes.

Business Associate Obligations Under the Security Rule

Since the Omnibus Rule of 2013, the Security Rule applies directly to business associates, not just covered entities. If a third-party vendor creates, receives, maintains, or transmits ePHI on your behalf, that business associate must independently comply with all three categories of safeguards.

Your business associate agreements must require compliance, but the legal obligation now extends to the business associate itself. OCR has pursued enforcement actions against business associates directly, including a $2.3 million settlement with CHSPSC, LLC in 2020 for Security Rule failures.

The Workforce Training Gap That Creates the Most Risk

Administrative safeguards require workforce training, yet many organizations treat it as a one-time onboarding task. The Security Rule requires ongoing, role-appropriate training — particularly when environmental or operational changes affect the security of ePHI.

A receptionist handling patient check-in software needs different training than a systems administrator managing your EHR infrastructure. Generic annual videos rarely meet this standard. Investing in structured HIPAA training and certification ensures your workforce understands the specific safeguards relevant to their roles and responsibilities.

Turning Security Rule Knowledge Into Organizational Action

Understanding what the HIPAA Security Rule establishes safeguards to protect is only valuable if it drives real compliance activity. Start with a current, comprehensive risk analysis. Map every system that stores or transmits ePHI. Evaluate your administrative, physical, and technical safeguards against the specific requirements at 45 CFR §§ 164.308, 164.310, and 164.312.

Document everything. OCR investigations do not ask whether you believe you are compliant — they ask for evidence. Policies, training records, risk analysis reports, and remediation plans are the artifacts that demonstrate compliance.

If your organization needs to build or strengthen its compliance program, HIPAA Certify's workforce compliance platform provides the structure, training, and documentation tools to protect ePHI the way the Security Rule demands. The cost of non-compliance — both in OCR penalties and patient trust — is too high to leave safeguards to guesswork.