In 2023, OCR settled with a healthcare provider for $1.3 million after an investigation revealed the organization had no encryption on portable devices, no facility access controls, and incomplete risk analyses — all failures tied directly to the safeguards for HIPAA required under the Security Rule. The organization knew PHI was at risk. They simply never built the infrastructure to protect it. Your organization cannot afford to make the same mistake.

The Three Categories of Safeguards for HIPAA Under the Security Rule

The HIPAA Security Rule (45 CFR Part 164, Subpart C) organizes its requirements into three categories of safeguards: administrative, physical, and technical. Each category contains both required and addressable implementation specifications. OCR evaluates all three during breach investigations and compliance audits.

Covered entities and business associates must implement all three categories. There is no exemption based on organization size, budget, or patient volume. The flexibility built into the rule relates to how you implement safeguards — not whether you implement them.

Administrative Safeguards: The Foundation Most Organizations Get Wrong

Administrative safeguards account for more than half of the Security Rule's requirements, yet they are the area where healthcare organizations most consistently fall short. These are the policies, procedures, and workforce management practices that govern how your organization protects electronic protected health information (ePHI).

The cornerstone requirement is the risk analysis under §164.308(a)(1). OCR has cited inadequate or missing risk analyses in the majority of its enforcement actions over the past decade. Your risk analysis must be thorough, documented, and updated regularly — not a checkbox exercise performed once during onboarding.

Other critical administrative safeguards include:

  • Security management process: Policies to prevent, detect, contain, and correct security violations
  • Workforce security: Procedures ensuring only authorized personnel access ePHI
  • Information access management: Policies implementing the minimum necessary standard for electronic records
  • Security awareness and workforce training: Ongoing education on threats, password management, and login monitoring
  • Contingency planning: Data backup, disaster recovery, and emergency mode operation plans

Workforce training is not optional, and it is not a one-time event. Every member of your workforce — employees, volunteers, trainees — must receive training on your security policies and procedures. If you need a structured, regulation-aligned program, HIPAA training and certification courses can help you meet this requirement efficiently.

Physical Safeguards: Controlling Access to Facilities and Devices

Physical safeguards under §164.310 address who can physically access locations where ePHI is stored, processed, or transmitted. OCR enforcement actions have repeatedly targeted organizations that failed to secure server rooms, left workstations unattended in public areas, or had no procedures for disposing of hardware containing PHI.

Your organization must implement:

  • Facility access controls: Procedures to limit physical access to electronic information systems, including visitor logs, locked server rooms, and badge access
  • Workstation use and security: Policies governing where workstations are located, how they are used, and physical protections around them
  • Device and media controls: Procedures for hardware disposal, media re-use, data backup, and accountability tracking when devices are moved

A common gap I see in my work with covered entities: organizations invest heavily in digital security but leave printed PHI in open mail trays, store backup tapes in unlocked closets, or never inventory the laptops and USB drives their workforce carries offsite. Physical safeguards for HIPAA demand the same rigor you apply to your firewalls.

Technical Safeguards: Securing ePHI in Your Systems

Technical safeguards under §164.312 are the technology-based protections most people think of first. These include access controls, audit controls, integrity controls, and transmission security. They are essential — but they only work when layered on top of sound administrative and physical foundations.

Required and addressable specifications include:

  • Access control: Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption of ePHI
  • Audit controls: Hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI
  • Integrity controls: Policies and mechanisms to protect ePHI from improper alteration or destruction
  • Person or entity authentication: Verification that individuals seeking access to ePHI are who they claim to be
  • Transmission security: Measures to protect ePHI during electronic transmission, including encryption

Encryption is listed as addressable, not required — but OCR has made clear that organizations choosing not to encrypt must document why and implement an equivalent alternative. In practice, encryption is the standard OCR expects. If your ePHI is unencrypted and a breach occurs, your organization faces both regulatory penalties and the reputational consequences of a public breach notification under the Breach Notification Rule.

Addressable Does Not Mean Optional

One of the most dangerous misunderstandings in HIPAA compliance is treating addressable implementation specifications as optional. Under the Security Rule, "addressable" means your organization must assess whether a specification is reasonable and appropriate. If it is, you must implement it. If it is not, you must document why and implement an equivalent measure.

OCR has penalized organizations that skipped addressable specifications without documentation. The 2016 settlement with North Memorial Health Care — a $1.55 million penalty — stemmed in part from failures tied to addressable business associate safeguards and risk analysis gaps. Every specification demands a documented decision.

Building a Safeguards Program That Survives OCR Scrutiny

Implementing safeguards for HIPAA is not a one-time project. It is an ongoing program that requires regular risk analyses, updated policies, continuous workforce training, and documented evidence of every decision you make.

Start with these steps:

  • Conduct a comprehensive, documented risk analysis of all ePHI your organization creates, receives, maintains, or transmits
  • Map each Security Rule specification — required and addressable — to a specific policy, procedure, or technology control
  • Train every workforce member on your security policies and update that training whenever procedures change
  • Review and test your contingency plan, including data backup and disaster recovery, at least annually
  • Maintain documentation for a minimum of six years, as required by §164.530(j)

If your organization lacks the internal resources to build and maintain this program, investing in workforce HIPAA compliance through HIPAACertify gives your team the regulatory foundation they need to protect PHI and meet OCR's expectations.

The Cost of Incomplete Safeguards

Between 2003 and 2024, OCR has collected over $140 million in HIPAA enforcement penalties. The most common root causes — missing risk analyses, insufficient access controls, lack of encryption, and untrained workforces — all trace back to incomplete implementation of the three safeguard categories.

Your Notice of Privacy Practices promises patients their information is protected. Your safeguards program is how you keep that promise. Every gap in your administrative, physical, or technical controls is a gap between what you claim and what you deliver — and OCR investigations are designed to find exactly those gaps.