Key Takeaways
- HIPAA Security Rule (45 CFR 164.308-312) defines administrative, physical and technical safeguards. The Security Rule applies directly to Business Associates under HITECH.
- Administrative safeguards (164.308): risk analysis, workforce security, access management, training, incident procedures, contingency planning.
- Physical safeguards (164.310): facility access, workstation use, device and media controls. For cloud-only BAs, much of this is covered by cloud provider BAAs.
- Technical safeguards (164.312): access control, audit controls, integrity, authentication, transmission security. The most-tested area in Covered Entity due diligence.
- Implementation specifications are either 'Required' or 'Addressable'. Addressable does NOT mean optional; it means you must document why you implemented an alternative if not following the default.
What the HIPAA Security Rule Actually Requires
The HIPAA Security Rule, codified at 45 CFR 164.302-318, specifies the safeguards required to protect electronic Protected Health Information (ePHI). The Rule applies to Covered Entities directly, and to Business Associates via HITECH and via the contractual obligations in BAAs.
The Security Rule is structured around three families of safeguards: Administrative (164.308), Physical (164.310) and Technical (164.312). Each family contains Standards (mandatory) and Implementation Specifications which are either 'Required' or 'Addressable'.
Critical misunderstanding: 'Addressable' does NOT mean 'optional'. It means you must either implement the default specification or document why an alternative measure achieves equivalent protection. Indian Business Associates often skip Addressable specs without documentation and find this flagged in Covered Entity due diligence or HHS OCR review.
Administrative Safeguards (45 CFR 164.308)
Administrative safeguards are the documented policies and procedures that manage the selection, development, implementation and maintenance of security measures to protect ePHI. Nine standards under 164.308:
Security Management Process (164.308(a)(1)) [Required]
Implementation: (a) Risk Analysis [Required], (b) Risk Management [Required], (c) Sanction Policy [Required], (d) Information System Activity Review [Required]. This is the foundation of HIPAA compliance. The risk analysis specifically must be documented, comprehensive, organisation-wide, and refreshed regularly (annually minimum, more often if material changes).
Assigned Security Responsibility (164.308(a)(2)) [Required]
Designate a named security official responsible for HIPAA Security Rule compliance. For Indian BAs, typically the CISO, Head of Engineering, or for smaller companies the founder or CTO. Document the designation. The security official is the named point of contact for HHS OCR, Covered Entity due diligence, and breach notifications.
Workforce Security (164.308(a)(3)) [Required]
Implementation: Authorisation and supervision [Addressable], Workforce clearance procedure [Addressable], Termination procedures [Addressable]. Background checks before granting ePHI access, documented supervisory structure, immediate revocation of access on termination. Indian BAs often have these as informal practice but lack documented procedures, which is what auditors look for.
Information Access Management (164.308(a)(4)) [Required]
Implementation: Isolating Healthcare Clearinghouse Functions [Required, if applicable], Access Authorisation [Addressable], Access Establishment and Modification [Addressable]. Role-based access with documented role-to-permission mapping. Quarterly access reviews. Immediate revocation. Most Covered Entity due diligence asks for current access review records.
Security Awareness and Training (164.308(a)(5)) [Required]
Implementation: Security Reminders [Addressable], Protection from Malicious Software [Addressable], Log-in Monitoring [Addressable], Password Management [Addressable]. Annual security training for all workforce, role-specific training for elevated-access roles, documented training records with assessment scores. Phishing simulation campaigns satisfy 'Security Reminders' for most BAs.
Security Incident Procedures (164.308(a)(6)) [Required]
Implementation: Response and Reporting [Required]. Documented incident response procedure: detection, classification, response, reporting, post-incident review. Coordinated with breach notification procedure under 164.404 and 164.406 (HITECH 60-day clock to Covered Entity, then onward to HHS and affected individuals). Tabletop exercise the procedure annually.
Contingency Plan (164.308(a)(7)) [Required]
Implementation: Data Backup Plan [Required], Disaster Recovery Plan [Required], Emergency Mode Operation Plan [Required], Testing and Revision Procedures [Addressable], Applications and Data Criticality Analysis [Addressable]. Documented backups, DR plan, business continuity. Test annually. Indian BAs often have backups but lack documented restoration testing, which auditors flag.
Evaluation (164.308(a)(8)) [Required]
Periodic technical and non-technical evaluation of HIPAA Security Rule compliance, performed in response to environmental or operational changes affecting ePHI security. Most Indian BAs satisfy this through annual internal HIPAA audit plus continuous control monitoring. Codesecure provides the annual evaluation as part of HIPAA retainer.
Business Associate Contracts (164.308(b)(1)) [Required]
For Business Associates that engage sub-Business Associates (you outsource any PHI-touching function), you must have a sub-BAA in place. Indian BAs often miss this when they use US-based SaaS tools that touch PHI without realising those tools need sub-BAAs. Maintain a complete sub-BA register.
Need a Compliance Programme?
Codesecure runs HIPAA, GDPR, NIST CSF, DPDP, ISO 27001 and SOC 2 compliance programmes for Indian businesses. Fixed-fee engagements, named consultants, ISO/IEC 27001:2022 certified delivery, audit-ready evidence packs.
See Compliance Services →Physical Safeguards (45 CFR 164.310)
Physical safeguards protect ePHI from physical access. Four standards under 164.310:
Facility Access Controls (164.310(a)(1)) [Required]
Implementation: Contingency Operations [Addressable], Facility Security Plan [Addressable], Access Control and Validation Procedures [Addressable], Maintenance Records [Addressable]. Badge access, visitor management with logs, restricted area definition. For cloud-only Indian BAs, document the cloud provider's facility safeguards via their BAA; the Indian BA's office still needs basic facility controls for any on-site PHI work.
Workstation Use (164.310(b)) [Required]
Documented policies governing workstation use including: appropriate functions of workstations accessing ePHI, manner of performing those functions, physical attributes of workstation surroundings. Translates to: clean desk policy, screen lock policy, no PHI on unauthorised workstations, no shared workstations for PHI access.
Workstation Security (164.310(c)) [Required]
Physical safeguards for workstations accessing ePHI. Includes: locked offices for PHI-handling staff (where applicable), workstation positioning to prevent shoulder surfing, automatic screen locks, physical secure boot or workstation control.
Device and Media Controls (164.310(d)(1)) [Required]
Implementation: Disposal [Required], Media Re-use [Required], Accountability [Addressable], Data Backup and Storage [Addressable]. Secure destruction of media containing PHI (DBAN-style wipe for HDDs, certificate of destruction for physical destruction). Media re-use only after wipe. Backup media encrypted and access-controlled.
Technical Safeguards (45 CFR 164.312) — The Audit-Heavy Family
Technical safeguards are tested most rigorously in Covered Entity due diligence. Five standards under 164.312:
Access Control (164.312(a)(1)) [Required]
Implementation: Unique User Identification [Required], Emergency Access Procedure [Required], Automatic Logoff [Addressable], Encryption and Decryption [Addressable]. Unique user accounts (no shared accounts), break-glass emergency access with audit trail, idle session timeout (15-30 minutes typical), encryption of stored ePHI at rest. Addressable encryption is essentially mandatory in 2026; not encrypting at rest is flagged by every Covered Entity due diligence.
Audit Controls (164.312(b)) [Required]
Implement hardware, software and procedural mechanisms that record and examine activity in information systems containing or using ePHI. All ePHI access logged with: who, what, when, where, action. Logs retained for at least 6 years. Centralised log aggregation. Codesecure managed SOC service covers this with Wazuh SIEM.
Integrity (164.312(c)(1)) [Required]
Implementation: Mechanism to Authenticate ePHI [Addressable]. Protect ePHI from improper alteration or destruction. Cryptographic hashing of stored records, database transaction logs, file integrity monitoring on critical systems, version control on records where applicable.
Person or Entity Authentication (164.312(d)) [Required]
Verify that a person or entity seeking access to ePHI is the one claimed. Strong authentication: MFA for all admin access plus PHI-touching access, password policy aligned with NIST 800-63B current guidance, no password reuse, monitoring of authentication failures.
Transmission Security (164.312(e)(1)) [Required]
Implementation: Integrity Controls [Addressable], Encryption [Addressable]. Encryption in transit using TLS 1.2 or higher, modern cipher suites. Disable TLS 1.0, TLS 1.1, weak ciphers (RC4, 3DES, NULL, EXPORT). Document the TLS configuration of every ePHI-handling endpoint. End-to-end encryption for ePHI transmitted over external networks.
Frequently Asked Questions
What is the difference between 'Required' and 'Addressable' in HIPAA Security Rule?
Required means you must implement the specification exactly. Addressable means you must either implement the default specification or document why an alternative measure provides equivalent protection. 'Addressable' is NOT 'optional'. Indian BAs often skip Addressable items without documentation; HHS OCR and Covered Entity due diligence flag this. Document every Addressable decision.
Do cloud-only Indian Business Associates need physical safeguards?
Partially. Cloud provider BAA covers facility access controls for the cloud data centres themselves. The Indian BA still needs facility controls for its own offices where employees access ePHI on workstations, and workstation use / workstation security policies for those employees. Workstation security is a workforce-and-policy item, not a data centre item.
How does HIPAA Security Rule overlap with ISO 27001 Annex A?
60-70 percent overlap. ISO 27001 Annex A.5 (organisational), A.6 (people), A.7 (physical), A.8 (technological) covers most HIPAA Security Rule administrative, physical and technical safeguards. The marginal HIPAA work over ISO 27001 is: HIPAA-specific risk analysis methodology, BAA management, breach notification under HITECH 60-day clock, HIPAA-specific workforce training. Indian BAs with ISO 27001 reduce HIPAA programme time from 4-6 months to 3-5 months.
What does 'audit controls' (164.312(b)) actually require in practice?
Every ePHI access logged. Logs must contain: user identity, action type (read/write/delete/print/export), resource identifier, timestamp, source IP, success/failure. Logs retained at least 6 years per HIPAA Privacy Rule 164.530(j). Centralised log aggregation with monitoring and alerting on suspicious patterns. Codesecure managed SOC for SMBs satisfies this using Wazuh SIEM + TheHive + n8n SOAR stack with named India-based analysts.
Does HIPAA require encryption of ePHI at rest?
Encryption at rest is 'Addressable' under 164.312(a)(2)(iv). In practice it is effectively required because: (a) breach notification rules under 45 CFR 164.402 give safe harbour for encrypted ePHI (a lost encrypted laptop is not a reportable breach; a lost unencrypted laptop with PHI is), (b) Covered Entity due diligence consistently requires encryption at rest, (c) HHS OCR enforcement decisions repeatedly cite unencrypted PHI as a contributing factor. Encrypt at rest using AES-256 or stronger.
What evidence will Covered Entities ask for during vendor due diligence?
Common asks: latest HIPAA risk analysis (date + summary), named Security Official (assigned per 164.308(a)(2)), Security Rule policy documents, evidence of annual workforce training, breach notification procedure, latest internal audit report, encryption inventory for ePHI, access review records, sub-BAA register, recent pentest report (if any), incident response procedure. Pre-package this evidence as a 'Vendor Security Pack' and you accelerate every BAA negotiation.
How often do we need to update our HIPAA Security Rule documentation?
Annually as a minimum, plus on material changes. Material changes include: new product or service handling ePHI, major architecture change (cloud migration, new data centre), significant workforce changes (M&A, layoffs), regulatory updates (HHS OCR guidance, court decisions). Codesecure HIPAA retainer includes annual refresh of the entire programme.
Get a HIPAA Security Rule Implementation Roadmap
Codesecure implements the HIPAA Security Rule end to end for Indian Business Associates. Administrative, physical and technical safeguards, BAA-ready documentation, Covered Entity due diligence support. ISO/IEC 27001:2022 certified delivery.
