
HIPAA Security Rule Requirements & 2025 Updates
The HIPAA security rule is vital in protecting ePHI. It was created to protect someone’s personal health information when used by a covered entity. This includes creating administrative, physical and technical safeguards at an organization to protect this information. To understand the HIPAA security rule, you need to know the necessary safeguards and how to apply them to your organization. We’ll cover these points, as well as the recent updates announced in 2025, in this post.
Summary of the HIPAA Security Rule
The HIPAA Security Rule establishes the national standards required to protect individuals’ electronic personal health information (ePHI). It exists to provide a framework for securing health data, ensuring its confidentiality, integrity, and availability.
This rule applies to all healthcare providers, health plans, and healthcare clearinghouses (Covered Entities), as well as any of their business partners who handle ePHI on their behalf (Business Associates). Adherence to this rule is not optional; it is a legal requirement designed to build trust in the healthcare system and protect patient privacy in an increasingly digital world.
At a high level, the Security Rule mandates that all covered organizations implement three distinct types of safeguards. Administrative safeguards involve the policies, procedures, and workforce management aspects of security. Physical safeguards are the tangible protections for facilities and electronic systems, such as controlling access to data centers. Finally, technical safeguards are the technology-based controls used to protect data, like encryption and access controls. Together, these safeguards form a comprehensive defense-in-depth strategy, ensuring robust hippa security and compliance.
Who Are the HIPAA Covered Entities and Business Associates?
When discussing compliance, you’ll see reference to several different parties:
- The Covered Entity (CE): Covered entities are primary healthcare organizations, and include groups like hospitals, clinics, insurance payers, and Integrated Delivery Networks (IDNs).
- The Business Associate (BA): Business associates are companies that help CEs perform their work, usually by taking over some business or administrative function. BAs can range from technology providers (Managed Service Providers, Cloud Service Providers, data processing companies, etc.) or administrative groups. Essentially, a BA will handle PHI on behalf of CEs.
Note that a Covered Entity can serve as a Business Associate for another Covered Entity even as they perform CE functions.
Key Takeaways
- Mandatory Safeguards, Not Optional: The HIPAA Security Rule now removes the distinction between “required” and “addressable” safeguards—making measures like encryption, multi-factor authentication (MFA), and network segmentation mandatory for all covered entities and business associates.
- Expanded Requirements & Oversight: Organizations must implement comprehensive risk assessments, maintain annual technology asset inventories and network maps, develop incident response and recovery plans capable of restoring systems within 72 hours, and conduct regular vulnerability scans and penetration tests.
- Drivers Behind the Updates: These changes were driven by a sharp rise in cyberattacks and data breaches in healthcare, exposing gaps in outdated systems and inconsistent security practices. The aim is to move from flexibility to accountability and build a more resilient industry standard.
- New Legislative Push (HISAA): The Health Infrastructure Security & Accountability Act (HISAA) complements regulatory updates by mandating independent audits, resilience testing, executive certifications, and removing penalty caps—raising compliance stakes while offering funding for under-resourced organizations.
- Action Steps for Compliance: Covered entities and business associates should proactively conduct gap analyses, strengthen encryption and access controls, update risk assessments, improve vendor management practices, and secure leadership buy-in to align with these upcoming regulations.
What Specific HIPAA Security Requirements Does the Security Rule Dictate?
- Security Management Process: Organizations must implement policies and procedures to prevent, detect, contain, and correct security violations. This includes conducting a thorough risk analysis to identify potential threats to ePHI and implementing security measures to mitigate those risks.
- Information Access Management: Access to ePHI must be restricted to only authorized individuals. This involves implementing procedures to authorize access and establishing policies that align with the HIPAA Privacy Rule’s minimum necessary standard.
- Workforce Training and Management: All workforce members must receive training on security policies and procedures. Sanction policies must be in place for employees who fail to comply. Procedures for authorizing, supervising, and terminating workforce access to ePHI are also required.
- Facility Access Controls: Organizations must limit physical access to their facilities while ensuring that authorized personnel have the access they need. This involves implementing procedures to control and validate a person’s access to facilities where ePHI is stored.
- Workstation Use and Security: Policies must be developed to secure workstations that access ePHI, specifying proper use and the physical environment to prevent unauthorized viewing or access.
- Access Control (Technical): Implement technical policies and procedures that allow only authorized persons to access electronic protected health information. This requires assigning a unique name or number for identifying and tracking user identity.
- Audit Controls: Implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. These logs are crucial for detecting and responding to security incidents.
- Transmission Security: Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic network. This includes encrypting data in transit to ensure it cannot be intercepted and read.
Purpose and Goals of the HIPAA Security Rule
The primary purpose of the HIPAA Security Rule is to establish national standards for the protection of electronic protected health information (ePHI). The rule operationalizes the principles of the Privacy Rule by focusing on the ‘how’ of data protection. Its core goals revolve around ensuring the confidentiality, integrity, and availability of all ePHI that a covered entity or business associate creates, receives, maintains, or transmits.
Confidentiality means that ePHI is not made available or disclosed to unauthorized individuals. Integrity means that ePHI is not altered or destroyed in an unauthorized manner. Availability means that ePHI is accessible and usable upon demand by an authorized person.
For organizations, these goals translate into the actionable expectation to perform regular risk assessments, implement reasonable and appropriate safeguards, and foster a culture of security to protect patient data from ever-evolving threats.
What are HIPAA Security Rule Safeguards?
The Security Rule is typically the most relevant for healthcare companies, as it dictates the measures that these companies must maintain. More specifically, the Security Rule breaks measures down into three categories of CE responsibility:
- Administrative safeguards. These safeguards refer to the policies, procedures, and plans that an organization must have in place to ensure the safety and protection of all patient data. Responsibilities in this area include security management, personnel management, workforce training, and evaluations. In short, an organization must enact policies and training procedures so that their people and their operations remain compliant.
- Physical safeguards. Physical safeguards refer to the actual, physical access to data and how it is protected. Measures here cover access to a data center or other work facilities, workstation encryption, mobile device protection, and hard drives or other detachable media that need to be transported or disposed of.
- Technical safeguards. Covers HIPAA encryption, access control, authentication, data integrity, and other protection measures. Technical safeguards need to be in place while data is stored, in transit, or in use at a workstation.
Note that the Security Rule doesn’t specify the exact kind of technology your organization must use to stay compliant. Instead, measures must meet the challenges of security as they exist at the time of implementation.
These safeguards will essentially protect ePHI if you remain in compliance and stay on top of the latest measures.
The HIPAA 2025 Security Rule Updates: Strengthening Healthcare Security
In January 2025, the U.S. Department of Health & Human Services (HHS) proposed major updates to the HIPAA Security Rule—the first substantive overhaul in over a decade—to address growing cybersecurity threats targeting healthcare.
These updates would eliminate the old “required” vs. “addressable” flexibility, making safeguards like encryption at rest and in transit, multi-factor authentication (MFA), and network segmentation mandatory. They also require covered entities and business associates to maintain annual technology asset inventories, conduct more detailed risk analyses, implement written incident response and disaster recovery plans capable of restoring systems within 72 hours, and perform regular vulnerability scans and penetration tests. Annual compliance audits and tighter oversight of vendors are also part of the proposal, aiming to create a stronger, more uniform baseline of protection across the sector.
Complementing this regulatory push, Senators Ron Wyden and Mark Warner introduced the Health Infrastructure Security & Accountability Act (HISAA) in late 2024. HISAA would add enforceable cybersecurity standards updated every two years, mandate independent audits and resilience testing, require executive-level certifications, and remove civil penalty caps—significantly raising the stakes for noncompliance. The bill also includes funding to help under-resourced hospitals improve their defenses.
The changes proposed in HIPAA 2025 are driven by a surge in healthcare breaches and ransomware attacks, which have highlighted gaps in legacy systems and inconsistent security practices. By modernizing requirements and shifting from flexibility to accountability, the updates aim to help organizations prevent and respond to cyber incidents more effectively. For covered entities, business associates, and patients, the end result should be a more resilient, secure, and trusted healthcare system—where protecting sensitive health information is a shared and enforceable priority rather than a patchwork of optional measures.
HIPAA 2025 Compliance Recommendations for Covered Entities and Business Associates
To prepare for the proposed HIPAA changes, covered entities and business associates should:
- Conduct a comprehensive gap analysis comparing current security practices against the proposed rule requirements.
- Update or create written risk assessments and incident response plans, including defined roles and restoration procedures aligned with the 72-hour recovery mandate.
- Implement or validate encryption of all electronic protected health information (ePHI), both at rest and in transit.
- Deploy multi-factor authentication (MFA) across all systems that access or transmit PHI.
- Develop and maintain a complete technology asset inventory and up-to-date network diagrams for all systems handling PHI.
- Evaluate and implement network segmentation to contain breaches and minimize lateral movement across systems.
- Schedule regular vulnerability scans (at least twice annually) and annual penetration tests to identify and address security weaknesses.
- Strengthen vendor management practices by requiring annual compliance attestations from business associates and updating contracts to include the 24-hour breach notification rule.
- Secure executive-level buy-in and funding for cybersecurity initiatives by framing these investments as critical to both regulatory compliance and patient safety.
HIPAA Security Technical Safeguards
- Access Control: This is a cornerstone of HIPAA technical safeguards. Organizations must implement systems to ensure that users can only access the ePHI necessary for their job functions. A practical example is role-based access control (RBAC) within an Electronic Health Record (EHR) system, where a nurse has different access levels than a billing clerk.
- Audit Controls: Systems must have the capability to record and examine activity. This means keeping detailed audit logs of who accessed ePHI, when they accessed it, and what they did. In a cloud environment like AWS or Azure, this involves enabling detailed logging services (e.g., CloudTrail) to monitor API calls and user activity.
- Integrity Controls: You must have measures in place to ensure that ePHI is not improperly altered or destroyed. This often involves using checksums or other digital signature technologies to verify that data has not been tampered with, both at rest in a database and in transit.
- Authentication Mechanisms: Before granting access to ePHI, organizations must verify the identity of the person or entity seeking access. This goes beyond simple usernames and passwords. Best practice involves multi-factor authentication (MFA), especially for remote access to cloud-based applications or on-premise systems.
- Transmission Security: Any ePHI sent over an external network must be protected against unauthorized interception. This is achieved by implementing strong encryption protocols like TLS 1.2 or higher for all data in transit, whether it’s an email containing patient information or a data transfer to a cloud storage bucket.
Common HIPAA Physical Safeguards Under the HIPAA Security Rule
- Facility Access Controls: The purpose of physical security safeguards under HIPAA is to protect physical locations and equipment from unauthorized access. This includes door locks, alarm systems, and video surveillance for sensitive areas like data centers or server rooms. An administrative policy would dictate who is authorized to have keys or access cards.
- Workstation Use and Positioning: This safeguard governs how workstations are used and where they are placed. Computer monitors displaying ePHI should be positioned away from high-traffic areas to prevent “shoulder surfing.” Policies should also require users to log off before leaving a workstation unattended.
- Device and Media Controls: This involves controlling the receipt and removal of hardware and electronic media containing ePHI. Best practices include maintaining a hardware inventory and implementing strict policies for the final disposal of devices, such as physically destroying hard drives or using certified data destruction services.
- Environmental Protections: Data centers and server rooms should be protected from environmental hazards. This includes having appropriate fire suppression systems, temperature and humidity controls, and backup power supplies (like an uninterruptible power supply or UPS) to ensure system availability and data integrity.
What Is HIPAA Risk Assessment and How Does it Impact Security Compliance?
HIPAA compliance requirements state that CEs and their BAs implement risk assessment as part of their security operations. In fact, risk assessment is outlined in the Privacy Rule as an absolute that healthcare providers and other CEs must perform as part of their compliance.
What is a risk assessment? A risk assessment is an operation where an organization assesses the potential risks of their current and future security implementations. This assessment helps them understand their vulnerabilities and areas of improvement.
In terms of compliance, a risk assessment can also tell the organization and experts whether or not they comply with requirements.
According to the Department of Health and Human Services, a HIPAA risk assessment should include:
- Documentation of PHI and its location, transmission, and storage.
- Assessment of current security measures.
- Determination of reasonably anticipated threats and the risk of a HIPAA breach of PHI, and any impact associated with those breaches.
- Calculating risk levels for combinations of threats and vulnerabilities across multiple security safeguards.
- Reporting, documenting, and recording all assessments, changes and security measure implementations.
This assessment applies to small organizations and enterprise-level corporations. The rules refer to the safety of data, not the size of the company. Because of this, HIPAA security and compliance can be incredibly difficult for large businesses and intimidating for new SMBs entering the industry.
What are the Penalties for HIPAA Non-Compliance?
Risk assessment and compliance are important because the penalties for non-compliance can quickly devastate a healthcare organization.
Violations of regulations fall within four tiers:
- Tier 1: CE or BA was unaware of the violation and couldn’t have reasonably prevented it.
- Tier 2: The CE or BA should have been aware of the violation and was not, but nonetheless couldn’t have reasonably prevented it.
- Tier 3: The CE or BA is guilty of willful neglect of regulations but has made attempts to rectify the situation.
- Tier 4: The CE or BA is guilty of willful neglect and has made no attempt to correct the violation.
Penalties tend to get more severe the higher the tier. In tier 1, penalties can be as low as $100 per violation. Conversely, penalties for a neglectful violation with no attempt to correct can collect fees at a minimum of $50,000 per violation.
It bears repeating that penalties are per violation. While there are annual caps on damages depending on the types of violations, it isn’t unheard of for a CE in willful neglect of rules to suffer millions of dollars in penalties within a single data breach event.
How Does Kiteworks Help Businesses with HIPAA Security Compliance?
For businesses relying on cloud or SaaS providers, ensuring technical integrity and functionality is one of the most integral parts of compliance.
Note that when you work with any third-party software vendor, they should be openly knowledgeable in compliance and managing data in the healthcare industry. If they are going to store PHI or manage ePHI transmissions in any way for your organization, they must be an authorized Business Associate and you must enter into a Business Associate Agreement (BAA) with them to stay compliant.
The Kiteworks platform is a HIPAA-compliant software vendor that can support your healthcare business across all important aspects of PHI security:
- Compliance: This includes providing one-click reporting for audits, administrative safeguards, and data backups. You’ll also get physical safeguards certified under SOC 2 audits over AWS and Microsoft Azure platforms, or the option of deploying on your own premises or IaaS resources.
- Visibility: Document trails are critical for compliance, and the Kiteworks platform gives you the capabilities to track document access, user authentication and authorization, and layers of reporting for incident responses, risk assessment and file sharing. Your doctors, employees and patients can collaborate without compromising PHI.
- Security: Kiteworks platform technology supports enterprise-grade, HIPAA compliant measures like AES-256 encryption, TLS-1.2 and S/MIME HIPAA email encryption, and password management with multi-factor authentication.
Trust Kiteworks with Your HIPAA Compliance Needs
With the Kiteworks platform, you’re getting communications, email, content firewall, encryption, and more than meets requirements across the board. Take the burden of IT management off your plate and work with a partner that supports your business so you can focus on healthcare and patients.
To learn more about Kiteworks’ HIPAA-compliant Hybrid Cloud Deployment, schedule a custom demo of Kiteworks today.
Additional Resources
- Blog Post What Are HIPAA Compliance Requirements? [Complete Checklist]
- Blog Post Navigating the New HIPAA Amendments: A Comprehensive Guide for Healthcare Leaders
- Blog Post Your Complete Checklist for Achieving HIPAA Compliance
- Blog Post What Is a HIPAA Violation? Most Common Violation Examples
- Blog Post HIPAA Audit Logs: Complete Requirements for Healthcare Compliance in 2025