In February 2024, OCR settled with a healthcare provider for $480,000 after investigators found the organization had never conducted a comprehensive risk analysis — a foundational requirement under the HIPAA standards for security. The organization had antivirus software and a firewall. It even had an IT team. What it lacked was a documented, methodical approach to identifying vulnerabilities to protected health information. That gap is what OCR targets most aggressively, and it's the gap I see most often in my work with covered entities and business associates.

What the HIPAA Standards for Security Actually Require

The Security Rule, codified at 45 CFR Part 164, Subparts A and C, establishes national standards to protect electronic protected health information (ePHI). Unlike the Privacy Rule, which governs all forms of PHI, the Security Rule focuses exclusively on ePHI — data created, received, maintained, or transmitted electronically.

The rule organizes its requirements into three categories of safeguards: administrative, physical, and technical. Each category contains standards, and each standard includes implementation specifications that are either required or addressable. A critical misconception: "addressable" does not mean "optional." It means your organization must implement the specification, adopt an equivalent alternative, or document why neither is reasonable — and accept the residual risk in writing.

Administrative Safeguards: Where Most Violations Originate

Administrative safeguards account for more than half of the Security Rule's requirements, and they're where OCR enforcement actions concentrate. These aren't technical controls — they're management processes.

The most cited standard is the risk analysis requirement (§164.308(a)(1)). Your organization must conduct a thorough, documented assessment of potential risks and vulnerabilities to ePHI. OCR has made clear in settlement after settlement — from Anthem's $16 million resolution in 2018 to smaller providers penalized in recent years — that a risk analysis must be enterprise-wide, not limited to the EHR system.

Other critical administrative safeguards include:

  • Risk management (§164.308(a)(1)(ii)(B)): Implementing security measures to reduce identified risks to a reasonable level.
  • Workforce training (§164.308(a)(5)): Training all workforce members on security policies and procedures relevant to their job functions. If your staff doesn't understand your security protocols, those protocols don't exist in practice. Investing in structured HIPAA training and certification is the most direct way to meet this standard.
  • Information access management (§164.308(a)(4)): Implementing policies that align with the minimum necessary standard — restricting ePHI access to what each workforce member needs for their role.
  • Contingency planning (§164.308(a)(7)): Data backup, disaster recovery, and emergency mode operation plans.

Physical Safeguards Your Facility Cannot Ignore

Physical safeguards under the HIPAA standards for security address the tangible protections around systems that store or access ePHI. These requirements apply whether your servers sit in a closet down the hall or in a colocation facility across the country.

Facility access controls (§164.310(a)) require your organization to limit physical access to electronic information systems. This includes visitor sign-in procedures, locked server rooms, and documented policies for granting and revoking physical access. Workstation use (§164.310(b)) and workstation security (§164.310(c)) standards require policies governing how and where ePHI is accessed — including remote work environments, which OCR has increasingly scrutinized since 2020.

Device and media controls (§164.310(d)) address disposal and re-use of hardware that contains ePHI. Healthcare organizations consistently struggle with this standard when decommissioning old laptops, copiers with hard drives, and portable storage devices.

Technical Safeguards: The Controls That Protect ePHI in Transit and at Rest

Technical safeguards are the technology-based protections that your IT infrastructure must deliver. Four standards define this category:

  • Access controls (§164.312(a)): Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption. Every workforce member must have a unique login — shared credentials are a direct violation.
  • Audit controls (§164.312(b)): Hardware, software, and procedural mechanisms to record and examine access to ePHI. Your organization needs logs, and someone must actually review them.
  • Integrity controls (§164.312(c)): Mechanisms to authenticate ePHI and protect it from improper alteration or destruction.
  • Transmission security (§164.312(e)): Encryption and integrity controls for ePHI transmitted over electronic networks. Sending unencrypted PHI over email or unsecured channels has been the basis for multiple HIPAA violation settlements.

How OCR Evaluates Your Security Posture During an Investigation

When OCR investigates a breach or complaint, they don't just ask whether you have a firewall. They ask for documentation. Specifically, they request your most recent risk analysis, your risk management plan, evidence of workforce training, and your policies and procedures mapped to each Security Rule standard.

In 2023, OCR resolved 11 cases under its Risk Analysis Initiative alone, collecting penalties ranging from $50,000 to $1.3 million. The pattern is unmistakable: organizations that cannot produce a current, comprehensive risk analysis face the steepest consequences. Organizations that can demonstrate an ongoing compliance program — including regular risk assessments, documented training, and policy updates — are in a fundamentally stronger negotiating position.

Building a Compliance Program Around the Security Standards

Meeting the HIPAA standards for security is not a one-time project. It's an ongoing operational commitment. Your compliance program should include annual risk analyses, regular policy reviews, continuous workforce education, and documented incident response procedures.

Start with your risk analysis. Map every system that touches ePHI. Identify threats — ransomware, insider misuse, device theft, vendor access — and document your existing controls and their gaps. Then implement a risk management plan with specific remediation timelines and assigned owners.

Workforce training must be more than an annual checkbox. Your covered entity and any business associate you work with should ensure that every team member understands the security policies relevant to their access level. A comprehensive workforce HIPAA compliance program creates accountability and gives you the documentation OCR will demand if a breach occurs.

The Standard OCR Won't Forgive You for Missing

If you take one action after reading this, conduct or update your risk analysis. No security control, no encryption tool, no vendor contract compensates for the absence of a documented risk analysis. OCR has made this the centerpiece of its enforcement strategy because it's the foundation every other HIPAA security safeguard rests on.

Your organization's security posture isn't measured by the technology you purchase. It's measured by the processes you implement, the training you deliver, and the documentation you maintain. The HIPAA standards for security demand all three — and OCR is actively verifying compliance.