HIPAA Security Rule
Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI)
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (8)
Administrative
| Code | Title |
|---|---|
| 164.306 | Security Standards: General Rules |
| 164.308(a)(1)(i) | Security Management Process (Standard) |
| 164.308(a)(1)(ii)(A) | Risk Analysis (Required) |
| 164.308(a)(1)(ii)(B) | Risk Management (Required) |
| 164.308(a)(1)(ii)(C) | Sanction Policy (Required) |
| 164.308(a)(1)(ii)(D) | Information System Activity Review (Required) |
| 164.308(a)(2) | Assigned Security Responsibility (Standard) |
| 164.308(a)(3)(i) | Workforce Security (Standard) |
| 164.308(a)(3)(ii)(A) | Authorization and Supervision (Addressable) |
| 164.308(a)(3)(ii)(B) | Workforce Clearance Procedure (Addressable) |
| 164.308(a)(3)(ii)(C) | Termination Procedures (Addressable) |
| 164.308(a)(4)(i) | Information Access Management (Standard) |
| 164.308(a)(4)(ii)(A) | Isolating Health Care Clearinghouse Functions (Required if applicable) |
| 164.308(a)(4)(ii)(B) | Access Authorization (Addressable) |
| 164.308(a)(4)(ii)(C) | Access Establishment and Modification (Addressable) |
| 164.308(a)(5)(i) | Security Awareness and Training (Standard) |
| 164.308(a)(5)(ii)(A) | Security Reminders (Addressable) |
| 164.308(a)(5)(ii)(B) | Protection from Malicious Software (Addressable) |
| 164.308(a)(5)(ii)(C) | Log-in Monitoring (Addressable) |
| 164.308(a)(5)(ii)(D) | Password Management (Addressable) |
| 164.308(a)(6)(i) | Security Incident Procedures (Standard) |
| 164.308(a)(6)(ii) | Response and Reporting (Required) |
| 164.308(a)(7)(i) | Contingency Plan (Standard) |
| 164.308(a)(7)(ii)(A) | Data Backup Plan (Required) |
| 164.308(a)(7)(ii)(B) | Disaster Recovery Plan (Required) |
| 164.308(a)(7)(ii)(C) | Emergency Mode Operation Plan (Required) |
| 164.308(a)(7)(ii)(D) | Testing and Revision Procedures (Addressable) |
| 164.308(a)(7)(ii)(E) | Applications and Data Criticality Analysis (Addressable) |
| 164.308(a)(8) | Evaluation (Standard) |
| 164.308(b)(1) | Business Associate Contracts and Other Arrangements (Standard) |
| 164.308(b)(3) | Written Contract or Other Arrangement |
Organizational
| Code | Title |
|---|---|
| 164.314(a)(1) | Business Associate Contracts or Other Arrangements (Standard) |
| 164.314(a)(2)(i) | Business Associate Contract Required Provisions |
| 164.314(a)(2)(ii) | Other Arrangements (Government) |
| 164.314(a)(2)(iii) | Business Associate Contracts with Subcontractors |
| 164.314(b)(1) | Requirements for Group Health Plans (Standard) |
| 164.314(b)(2) | Implementation Specifications for Group Health Plans |
Organizational Requirements
Requirements for business associate contracts and group health plans
Physical
| Code | Title |
|---|---|
| 164.310(a)(1) | Facility Access Controls (Standard) |
| 164.310(a)(2)(i) | Contingency Operations (Addressable) |
| 164.310(a)(2)(ii) | Facility Security Plan (Addressable) |
| 164.310(a)(2)(iii) | Access Control and Validation Procedures (Addressable) |
| 164.310(a)(2)(iv) | Maintenance Records (Addressable) |
| 164.310(b) | Workstation Use (Standard) |
| 164.310(c) | Workstation Security (Standard) |
| 164.310(d)(1) | Device and Media Controls (Standard) |
| 164.310(d)(2)(i) | Disposal (Required) |
| 164.310(d)(2)(ii) | Media Re-use (Required) |
| 164.310(d)(2)(iii) | Accountability (Addressable) |
| 164.310(d)(2)(iv) | Data Backup and Storage (Addressable) |
Physical Safeguards
Physical measures, policies, and procedures to protect electronic information systems
Policies and Procedures
| Code | Title |
|---|---|
| 164.316(a) | Policies and Procedures (Standard) |
| 164.316(b)(1) | Documentation (Standard) |
| 164.316(b)(2)(i) | Time Limit (Documentation Retention) |
| 164.316(b)(2)(ii) | Availability (Documentation) |
| 164.316(b)(2)(iii) | Updates (Documentation) |
Policies, Procedures and Documentation
Requirements for policies, procedures and documentation
Technical
| Code | Title |
|---|---|
| 164.312(a)(1) | Access Control (Standard) |
| 164.312(a)(2)(i) | Unique User Identification (Required) |
| 164.312(a)(2)(ii) | Emergency Access Procedure (Required) |
| 164.312(a)(2)(iii) | Automatic Logoff (Addressable) |
| 164.312(a)(2)(iv) | Encryption and Decryption (Addressable) |
| 164.312(b) | Audit Controls (Standard) |
| 164.312(c)(1) | Integrity (Standard) |
| 164.312(c)(2) | Mechanism to Authenticate ePHI (Addressable) |
| 164.312(d) | Person or Entity Authentication (Standard) |
| 164.312(e)(1) | Transmission Security (Standard) |
| 164.312(e)(2)(i) | Integrity Controls for Transmission (Addressable) |
| 164.312(e)(2)(ii) | Encryption of Transmissions (Addressable) |
Your Compliance Coverage
If you comply with HIPAA Security Rule, you already cover:
Australia My Health Records Act 2012
9%
6 controls mapped
Compare →ISO/IEC 17050-2:2004
2%
1 controls mapped
Compare →ISO 50001:2018 - Energy Management Systems
2%
1 controls mapped
Compare →+ 4 more: ISO 27701:2019 (2%), ISO/IEC 38500:2024 (2%)
See all 7 mapped frameworks ↓Maps to 7 other frameworks
Frequently Asked Questions
What is HIPAA Security Rule?
HIPAA Security Rule is a compliance framework from United States with 8 domains and 66 controls. Health Insurance Portability and Accountability Act security standards for protecting electronic protected health information (ePHI) It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does HIPAA Security Rule have?
HIPAA Security Rule has 66 controls organised across 8 domains. The largest domains are Administrative (31 controls), Physical (12 controls), Technical (12 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does HIPAA Security Rule map to?
HIPAA Security Rule maps to 7 other compliance frameworks. The top mapping partners are Australia My Health Records Act 2012 (9% coverage), ISO/IEC 17050-2:2004 (2% coverage), ISO 50001:2018 - Energy Management Systems (2% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with HIPAA Security Rule compliance?
Start your HIPAA Security Rule compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about HIPAA Security Rule requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 66 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required