When OCR investigated Premera Blue Cross in 2020, the resulting $6.85 million settlement exposed failures across every category of protection the HIPAA Security Rule demands. The insurer hadn't conducted a thorough risk analysis, failed to implement sufficient hardware controls, and lacked adequate access safeguards for its electronic systems. If you've ever searched the Security Rule requires which of the following three safeguards, the Premera case is a textbook illustration of what happens when a covered entity neglects any one of them.

The Security Rule Requires Which of the Following Three Safeguards?

Under 45 CFR Part 164, Subparts A and C, the HIPAA Security Rule requires three categories of safeguards to protect electronic protected health information (ePHI): administrative safeguards, physical safeguards, and technical safeguards. These aren't suggestions or best practices — they are regulatory mandates that apply to every covered entity and business associate that creates, receives, maintains, or transmits ePHI.

Each category contains a mix of required and addressable implementation specifications. "Addressable" does not mean optional. It means your organization must assess whether each specification is reasonable and appropriate, implement it if so, or document why an equivalent alternative measure was adopted instead.

Administrative Safeguards: The Foundation Most Organizations Underestimate

Administrative safeguards account for more than half of the Security Rule's requirements, yet they receive the least attention in many compliance programs. These are the policies, procedures, and workforce management actions your organization uses to protect ePHI.

The critical components include:

  • Risk analysis and risk management — You must conduct a thorough assessment of potential threats and vulnerabilities to ePHI. OCR has cited the absence of a comprehensive risk analysis in the majority of its enforcement actions, including settlements with Anthem ($16 million, 2018) and Banner Health ($1.25 million, 2023).
  • Workforce training — Every member of your workforce must receive training on your security policies and procedures. This isn't a one-time onboarding task; training must be ongoing and updated as threats evolve. Investing in structured HIPAA training and certification ensures your staff understands current requirements.
  • Security management process — You need formal policies that prevent, detect, contain, and correct security violations.
  • Assigned security responsibility — A designated security official must be accountable for developing and implementing your Security Rule compliance program.
  • Contingency planning — Data backup, disaster recovery, and emergency mode operation plans are required specifications, not optional enhancements.

Administrative safeguards are where compliance lives or dies. Without documented policies and trained workforce members, physical and technical controls become unreliable.

Physical Safeguards: Controlling Access to Facilities and Devices

Physical safeguards address how your organization protects the physical infrastructure — buildings, equipment, and media — that houses or accesses ePHI. Healthcare organizations consistently struggle with this category because physical security often falls under facilities management rather than IT or compliance.

Key requirements include:

  • Facility access controls — Procedures to limit physical access to electronic information systems and the facilities where they are housed. This includes visitor logs, locked server rooms, and access badge systems.
  • Workstation use and security — Policies specifying the proper functions and physical attributes of workstations that access ePHI, as well as physical protections restricting access to authorized users only.
  • Device and media controls — Procedures governing how hardware and electronic media containing ePHI are disposed of, reused, moved, or tracked. Simply deleting files from a decommissioned laptop does not meet the minimum necessary standard for data destruction.

OCR's $3 million settlement with the University of Rochester Medical Center in 2019 hinged partly on the failure to encrypt portable devices — a physical safeguard gap that exposed ePHI on lost equipment.

Technical Safeguards: Protecting ePHI Within Your Systems

Technical safeguards are the technology-based controls and policies that protect ePHI and govern access to it. For many compliance teams, these feel like the most familiar territory, but implementation gaps remain alarmingly common.

Required and addressable specifications include:

  • Access control — Implement technical mechanisms so each workforce member can access only the ePHI necessary for their role. Unique user identification and emergency access procedures are required specifications.
  • Audit controls — Deploy hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. If your organization cannot produce audit logs during an OCR investigation, you have a significant HIPAA violation exposure.
  • Integrity controls — Implement electronic measures confirming that ePHI has not been improperly altered or destroyed.
  • Transmission security — Protect ePHI whenever it is transmitted over an electronic network. Encryption is an addressable specification here, but given today's threat landscape, choosing not to encrypt transmissions requires substantial justification.
  • Authentication — Verify that a person or entity seeking access to ePHI is who they claim to be.

How the Three Safeguards Work Together

No single safeguard category can protect ePHI on its own. A state-of-the-art firewall (technical) means little if an unauthorized person can walk into your server room (physical) or if your workforce hasn't been trained to recognize phishing attacks (administrative). OCR evaluates compliance holistically, and enforcement actions almost always cite failures spanning multiple safeguard categories.

The Security Rule's structure is intentional: administrative safeguards establish the governance framework, physical safeguards protect the environment, and technical safeguards secure the data within your systems. A gap in any one area undermines the other two.

Building a Compliance Program That Covers All Three

Start with your risk analysis. This single administrative requirement drives everything else — it identifies which physical and technical controls you need, where your vulnerabilities are, and what your organization must prioritize. Document every finding and remediation decision.

Next, ensure your workforce understands their role in all three safeguard categories. A receptionist who props open a secure door creates a physical safeguard failure. A clinician who shares login credentials creates a technical safeguard failure. Comprehensive workforce HIPAA compliance programs connect these dots for every role in your organization.

Finally, treat compliance as a continuous process. The Security Rule doesn't recognize a "compliant" end state — it requires ongoing evaluation, updates to policies, and regular workforce training as threats and technologies evolve.

The Cost of Ignoring Any One Safeguard

Between 2019 and 2024, OCR resolved over 150 enforcement actions, with penalties ranging from $100,000 to $16 million. The common thread in nearly every case: failures in more than one safeguard category. Inadequate risk analysis (administrative), unencrypted devices (physical and technical), and untrained staff (administrative) form a pattern that OCR investigators recognize immediately.

Your organization cannot afford to treat the three safeguards as a checklist to file away. They are the operational backbone of HIPAA Security Rule compliance — interconnected, mandatory, and under active scrutiny by federal regulators.