Every year, OCR investigations reveal the same pattern: organizations that misidentify what HIPAA actually requires end up with the most damaging audit findings. One of the most common knowledge gaps — especially in workforce training assessments — centers on a deceptively simple question: which of the following is not a HIPAA safeguard? If your employees can't answer this confidently, your compliance program has a structural weakness.

The Three Safeguard Categories Under the HIPAA Security Rule

The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) establishes exactly three categories of safeguards that covered entities and business associates must implement to protect electronic protected health information (ePHI). These are:

  • Administrative Safeguards — Policies, procedures, and workforce management actions that govern the selection, development, and implementation of security measures.
  • Physical Safeguards — Controls over physical access to facilities, workstations, and devices where ePHI is stored or accessed.
  • Technical Safeguards — Technology and related policies that protect ePHI and control access to it, including encryption, access controls, and audit logs.

That's it. Three categories. Any answer choice that falls outside these three — such as "financial safeguards," "ethical safeguards," or "legal safeguards" — is not a HIPAA safeguard. Understanding this distinction is foundational to every compliance effort your organization undertakes.

Which of the Following Is Not a HIPAA Safeguard — And Why It Matters

When this question appears on HIPAA training and certification assessments, the incorrect answer is typically a plausible-sounding option like "financial safeguards" or "conceptual safeguards." These terms don't exist anywhere in the Security Rule. Yet workforce members routinely select them because they've never been taught the regulatory structure behind the safeguard categories.

This isn't just an academic problem. In my work with covered entities, I've seen organizations invest heavily in one safeguard category while completely neglecting another — often because leadership didn't understand the tripartite framework. OCR doesn't grade on a curve. A deficiency in any single category can result in corrective action plans, civil monetary penalties, or both.

Administrative Safeguards: The Most Extensive Category

Administrative safeguards account for more than half of the Security Rule's requirements. They include conducting a thorough risk analysis, implementing workforce training programs, designating a security official, and establishing contingency plans. These are the safeguards OCR scrutinizes first in almost every investigation.

The risk analysis requirement alone (§164.308(a)(1)) has been the basis for more HIPAA enforcement actions than any other single provision. Between 2008 and 2024, OCR cited insufficient or absent risk analyses in the majority of its resolution agreements. If your organization hasn't completed a current, comprehensive risk analysis, you're exposed regardless of how strong your technical controls are.

Physical Safeguards: Beyond Locked Doors

Physical safeguards under §164.310 address facility access controls, workstation use and security, and device and media controls. Healthcare organizations consistently struggle with the device and media controls standard — particularly the disposition of hardware that once contained PHI.

A common compliance gap: organizations implement badge-access entry systems but fail to establish policies for workstation positioning, screen visibility, or the secure disposal of hard drives and portable media. Each of these falls squarely within physical safeguards and is subject to OCR enforcement.

Technical Safeguards: Where Technology Meets Policy

Technical safeguards (§164.312) require access controls, audit controls, integrity controls, and transmission security. Encryption is an addressable implementation specification here — meaning your organization must implement it or document why an equivalent alternative is reasonable and appropriate.

OCR has made clear that "addressable" does not mean "optional." The 2023 enforcement action against a healthcare provider that suffered a breach involving unencrypted email reinforced this point with a settlement exceeding $100,000. If your organization has decided not to encrypt ePHI in transit, you need a documented, defensible rationale.

Common Misconceptions That Create Compliance Gaps

Beyond misidentifying safeguard categories, organizations frequently make these mistakes:

  • Confusing Privacy Rule requirements with Security Rule safeguards. The Notice of Privacy Practices and the minimum necessary standard are Privacy Rule obligations (45 CFR §164.520 and §164.502(b), respectively). They are critical, but they are not "safeguards" under the Security Rule framework.
  • Treating the Breach Notification Rule as a safeguard. Breach notification (§§164.400-414) is a separate regulatory obligation triggered after a safeguard failure. It's a response mechanism, not a preventive control.
  • Assuming business associates only need technical safeguards. Since the Omnibus Rule of 2013, business associates are directly liable for compliance with all three safeguard categories — administrative, physical, and technical.

The Workforce Training Requirement Most Organizations Underestimate

The administrative safeguards standard at §164.308(a)(5) requires security awareness and training for your entire workforce. This isn't a one-time onboarding checkbox. OCR expects ongoing, role-based training that evolves with your organization's threat landscape and operational changes.

When workforce members can't answer a fundamental question like which of the following is not a HIPAA safeguard, it signals a training program that lacks depth. Investing in structured workforce HIPAA compliance training closes this gap and creates a documented trail of due diligence that matters during OCR investigations.

How to Strengthen Your Safeguard Framework Today

If your organization hasn't reviewed its safeguard implementation recently, start with these steps:

  • Conduct or update your risk analysis. Map every system that creates, receives, maintains, or transmits ePHI. Identify threats and vulnerabilities across all three safeguard categories.
  • Audit your policies against the Security Rule standards. Verify that you have documented policies and procedures for each administrative, physical, and technical safeguard — and that those policies reflect actual practice.
  • Train your workforce with assessments that test real knowledge. Your training program should go beyond awareness. It should verify that every workforce member understands the regulatory structure, including the three safeguard categories and the obligations specific to their role.
  • Review business associate agreements. Confirm that your BAAs reflect current Omnibus Rule requirements and that your business associates can demonstrate their own safeguard compliance.

HIPAA violations stemming from safeguard failures carry penalties ranging from $141 per violation (for unknowing violations with timely correction) to over $2 million per violation category per year for willful neglect. The cost of getting this wrong far exceeds the investment in getting it right.

Your compliance posture starts with foundational knowledge. If your workforce can confidently distinguish the three HIPAA safeguard categories from concepts that don't exist in the regulation, you've built the baseline every other control depends on.