HIPAA Cybersecurity Requirements

HIPAA cybersecurity requirements define the technical and administrative obligations that covered entities and business associates must meet to protect electronic protected health information (ePHI). These obligations originate in the Health Insurance Portability and Accountability Act of 1996 and are operationalized through the HIPAA Security Rule, codified at 45 C.F.R. Parts 160 and 164. The Security Rule sits at the intersection of healthcare regulation and cybersecurity practice, affecting hospitals, health plans, clearinghouses, and any third-party vendor that handles ePHI on their behalf. Penalties for noncompliance range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS Office for Civil Rights Enforcement).

Definition and scope

The HIPAA Security Rule establishes a national standard for the protection of ePHI — health information stored, processed, or transmitted in electronic form. The rule applies to three categories of regulated entities:

1. Covered entities — health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically in connection with covered transactions.
2. Business associates — vendors, contractors, and subcontractors who create, receive, maintain, or transmit ePHI on behalf of a covered entity.
3. Business associate subcontractors — entities that handle ePHI on behalf of a business associate, brought into scope under the HITECH Act of 2009.

The Security Rule distinguishes ePHI from protected health information (PHI) broadly: PHI includes all media (paper, verbal, electronic), while ePHI specifically means information in electronic form. Paper records fall outside the Security Rule's scope but remain subject to the HIPAA Privacy Rule under 45 C.F.R. § 164.530.

The Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), holds primary enforcement authority. The Federal Trade Commission (FTC) holds concurrent jurisdiction over non-HIPAA-covered health apps and vendors under the FTC Health Breach Notification Rule at 16 C.F.R. Part 318.

How it works

The Security Rule organizes requirements into three safeguard categories, each containing a mix of required and addressable specifications. Required specifications are mandatory without exception. Addressable specifications must be implemented if reasonable and appropriate, or an equivalent alternative measure must be documented and adopted.

Administrative Safeguards (45 C.F.R. § 164.308) form the policy and procedural backbone:

1. Security management process — includes a risk analysis and risk management program, the two most frequently cited deficiencies in OCR enforcement actions.
2. Assigned security responsibility — designation of a security official.
3. Workforce training and management — sanctions policy, access authorization controls.
4. Contingency planning — data backup, disaster recovery, and emergency mode operation plans.
5. Evaluation — periodic technical and non-technical reassessment of security controls.

Physical Safeguards (45 C.F.R. § 164.310) govern facility access, workstation use policies, and device and media controls including procedures for final disposal of hardware containing ePHI.

Technical Safeguards (45 C.F.R. § 164.312) address access controls, audit controls, integrity mechanisms, and transmission security. Encryption is classified as an addressable specification — not a blanket mandate — but OCR's guidance documents treat encryption of data at rest and in transit as the de facto industry standard.

NIST Special Publication 800-66 Revision 2, published by the National Institute of Standards and Technology, provides an implementation guide that maps HIPAA Security Rule requirements to specific NIST controls, including those in NIST SP 800-53. Professionals navigating the service landscape for compliance support can reference the Cyber Safety Listings for relevant provider categories.

Common scenarios

HIPAA cybersecurity obligations surface across distinct operational contexts that each carry different risk profiles and compliance focal points.

Cloud migration of ePHI: When a covered entity moves clinical systems to a cloud provider, the cloud vendor becomes a business associate and must execute a Business Associate Agreement (BAA). The Security Rule's addressable encryption specification becomes effectively required in cloud contexts because alternative equivalent measures are difficult to document. OCR guidance published in 2016 (Cloud Computing Guidance) clarifies that a cloud provider storing ePHI is a business associate even if it cannot access the data due to encryption.

Ransomware incidents: OCR's 2016 Ransomware Guidance confirmed that ransomware encryption of ePHI constitutes a presumptive breach requiring notification unless a covered entity can demonstrate a low probability of compromise using the four-factor breach assessment under 45 C.F.R. § 164.402. The HHS Healthcare Cybersecurity Task Force 2023 report identified ransomware as the dominant threat vector in healthcare, with 405 large breaches reported to OCR in the single year covered by that analysis.

Third-party vendor access: Business associates that allow subcontractors to touch ePHI must execute downstream BAAs. Failure to maintain this chain is a standalone violation category. Organizations structuring vendor relationships can cross-reference the Cyber Safety Directory Purpose and Scope for context on how vendor categories are classified within this reference network.

Medical device security: Internet-connected medical devices processing or transmitting ePHI fall within the Security Rule's technical safeguards scope. The FDA's Medical Device Cybersecurity guidance (2023) establishes parallel device-level requirements that interact with but do not replace HIPAA obligations.

Decision boundaries

Determining whether the HIPAA Security Rule applies — and which provisions carry mandatory versus addressable weight — requires navigating several classification thresholds.

Covered entity vs. non-covered entity: A wellness app that does not interact with a covered entity's payment or treatment transactions is not automatically a covered entity under HIPAA, even if it collects health data. The FTC Health Breach Notification Rule may apply instead, as clarified in the FTC's 2021 Policy Statement.

Required vs. addressable specifications: The distinction is frequently misread. Addressable does not mean optional. Under 45 C.F.R. § 164.306(d)(3), an addressable specification requires either implementation or documented justification of an equivalent alternative — silence or omission is a violation.

HIPAA vs. state breach notification law: HIPAA's Breach Notification Rule sets a federal floor. At least 50 U.S. states and territories maintain separate breach notification statutes, and those laws may impose shorter notification timelines or broader definitions of protected information. HIPAA's 60-day notification window does not preempt state laws that require shorter timelines.

Security Rule vs. Privacy Rule: The Security Rule governs only ePHI and only the covered confidentiality, integrity, and availability dimensions. Access and use restrictions on all forms of PHI — including paper — fall under the Privacy Rule. Compliance programs that address only electronic systems may leave paper-workflow Privacy Rule obligations unaddressed. Professionals conducting gap assessments can use the How to Use This Cyber Safety Resource page to navigate related reference categories.

References

• HHS Office for Civil Rights — HIPAA Security Rule
• 45 C.F.R. Parts 160 and 164 — eCFR (Electronic Code of Federal Regulations)
• NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
• [HHS OCR Cloud Computing Guidance (2016)](https://www.hhs.gov/sites/default/files/ocr/privacy/