HIPAA Security Rule: What It Requires and What It Means for Small Practices

The HIPAA Security Rule is the part of HIPAA that most small practices underestimate. Practices often focus on patient privacy notices and access request forms — the visible Privacy Rule obligations — while treating the Security Rule as an IT problem. It is not. The Security Rule is primarily an administrative compliance program, and the documentation it requires falls on the practice administrator, not the IT vendor.

This guide covers what the Security Rule requires, what each category of safeguards means for a small clinic, and why the risk analysis is the document that determines whether everything else holds up.

What Is the HIPAA Security Rule

The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes national standards for protecting electronic protected health information. Congress enacted it as part of HIPAA in 1996; the final rule took effect in 2005.

Where the Privacy Rule governs all PHI — paper, verbal, and electronic — the Security Rule applies exclusively to ePHI: any protected health information that exists in electronic form. This includes records in your EHR, patient data in billing software, emails containing clinical information, data on tablets or phones used by clinical staff, and cloud backups.

The rule is structured around three categories of safeguards: administrative, physical, and technical. Each category contains a mix of “required” specifications (must implement) and “addressable” specifications (must implement if reasonable and appropriate, or document an equivalent alternative).

Who the Security Rule Applies To

The Security Rule applies to:

Covered entities — health care providers who transmit health information electronically, health plans, and health care clearinghouses
Business associates — vendors and contractors who create, receive, maintain, or transmit ePHI on behalf of a covered entity

If your clinic uses an EHR, a billing service, a cloud storage provider, or a telehealth platform that handles patient data, those vendors are business associates. Each must sign a BAA and independently comply with the Security Rule for the ePHI they handle.

A practice with two physicians and a front desk coordinator is a covered entity with the same Security Rule obligations as a large group practice. The obligations are the same; the scale of implementation adjusts based on the flexibility principle covered later in this guide.

Administrative Safeguards

Administrative safeguards are the largest and most important category for small practices. They govern how the practice manages its security program — not specific technology controls, but the policies and processes that direct everything else.

Risk analysis (required). Every Security Rule compliance program starts here. Practices must conduct a documented assessment of the risks and vulnerabilities to ePHI across all systems and workflows. The risk analysis identifies what ePHI exists, where it lives, what threats could affect it, and the likelihood and impact of each threat. Without a completed risk analysis, every other safeguard the practice has in place is effectively undocumented — OCR cannot assess whether controls are appropriate if the underlying risk assessment does not exist.

Risk management (required). Based on the risk analysis findings, practices must implement security measures sufficient to reduce identified risks to a reasonable level. This does not mean eliminating all risk — it means documented, proportionate responses to each identified risk.

Workforce training (required). The Security Rule requires a security awareness and training program for all workforce members. This includes training on recognizing phishing, password policies, and proper device use. See the companion guide on HIPAA compliance training for documentation requirements.

Access management (required). Practices must have policies for authorizing and supervising workforce members’ access to ePHI. This includes a process for granting access when someone joins the practice and revoking it immediately when they leave.

Contingency planning (required). Practices must have a documented plan for responding to an emergency that could damage systems containing ePHI — including data backup procedures and a disaster recovery plan.

Physical Safeguards

Physical safeguards address the protection of ePHI at the location level and at the device level.

Facility access controls (required). Practices must limit physical access to electronic information systems containing ePHI to authorized users. In a small clinic, this typically means locking the server room or IT closet, controlling who can access workstations after hours, and having a documented process for visitor access to clinical areas.

Workstation use and security (required). Practices must have a policy governing the proper use of workstations that access ePHI. Workstation screens should not face waiting areas or public spaces where patients could view other patients’ information. Automatic screen locks after a period of inactivity are standard. The policy must be written, not informal.

Device and media controls (required). This covers how the practice handles hardware and electronic media that contain ePHI — including disposal. Deleting files before donating or disposing of a computer is not sufficient. Hard drives must be wiped using a certified data destruction method, or physically destroyed. Mobile devices — tablets, phones used in the clinic — must be tracked, and the practice must be able to wipe them remotely if lost.

Technical Safeguards

Technical safeguards are the technology-level controls that protect ePHI in systems and during transmission.

Access controls (required). Systems containing ePHI must require unique user IDs and authentication. Shared login credentials — one username and password used by multiple staff members — are a direct Security Rule violation. Each user needs their own account so that access can be audited and revoked individually.

Audit controls (required). Practices must implement hardware, software, or procedural mechanisms to record and examine access and activity in systems that contain ePHI. Most EHRs include audit logging — practices need to know that it is enabled and review logs when a suspected access violation occurs.

Integrity controls (addressable). Practices must implement measures to protect ePHI from improper alteration or destruction, and verify that ePHI has not been altered in transmission.

Transmission security (addressable). ePHI transmitted over electronic networks must be protected against unauthorized access. Encryption in transit — TLS for web-based systems, encrypted email for PHI transmitted by email — is the standard implementation. Practices using unencrypted email to send patient records are out of compliance with this specification.

The Flexibility Principle: What “Reasonable and Appropriate” Means for Small Practices

The Security Rule explicitly instructs covered entities to calibrate their safeguards based on:

The size, complexity, and capabilities of the covered entity
The technical infrastructure and hardware and software security capabilities
The probability and criticality of potential risks to ePHI
The cost of security measures

A three-provider family practice clinic is not expected to deploy a security operations center or enterprise intrusion detection systems. But it is expected to conduct and document a risk analysis, implement basic access controls, train staff, and have a written contingency plan. The gap between “reasonable for a small clinic” and “no documentation at all” is where most enforcement actions originate.

OCR’s Small Practice guidance acknowledges that small practices face resource constraints. The agency’s audit protocol still includes every Security Rule category — practices are evaluated on whether their implementation is proportionate and documented, not whether it matches what a large health system does.

PHIGuard’s compliance dashboard tracks your risk assessments, policy documentation, and training logs — the administrative safeguards that are the foundation of Security Rule compliance. Every plan, including the $20/month Practice tier (up to 10 staff), includes a signed BAA and the documentation tools that support an audit response.

The most common mistake small practices make with the Security Rule is assuming that having an IT vendor handle their EHR and network security means they are compliant. The IT vendor handles technical safeguards. The administrative safeguards — risk analysis, workforce training, access policies, contingency planning — are the practice’s responsibility, and they require documentation that only the practice can produce.

Like what you're reading?

Try PHIGuard free — no credit card required.

ePHI (Electronic Protected Health Information): Any protected health information that is created, received, maintained, or transmitted in electronic form. This includes records in your EHR, emails containing patient information, data on portable devices, and backups stored in the cloud.

Risk Analysis: A systematic assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Under the Security Rule, a documented risk analysis is a required administrative safeguard — it is the starting point for all other compliance decisions.

Addressable Implementation Specification: A Security Rule safeguard that must be implemented if it is reasonable and appropriate for the covered entity, or replaced with an equivalent alternative measure with written justification. The term 'addressable' does not mean the requirement can be ignored.

Administrative Safeguards: The policies, procedures, and administrative actions required to manage the selection, development, implementation, and maintenance of security measures. Administrative safeguards make up the largest category under the Security Rule and include risk analysis, workforce training, and access management.

Q&A

What does the HIPAA Security Rule require?

The Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. The rule does not mandate specific technologies — it requires practices to analyze their risks and implement safeguards that are reasonable and appropriate given their size, complexity, and capabilities.

Q&A

What must a HIPAA risk analysis include?

A risk analysis must identify where ePHI is created, received, maintained, or transmitted; identify reasonably anticipated threats to that information; assess the likelihood and impact of each threat; and document the findings. The output of the risk analysis drives the selection of safeguards in all three categories. OCR's published guidance lists six required components of a compliant risk analysis.

Q&A

What physical safeguards does a small clinic need?

Physical safeguards cover facility access and workstation controls. At minimum, a small practice needs locked or controlled access to areas where ePHI is accessible, a policy on workstation use and positioning (screens should not face public areas), and a documented process for disposing of devices — hard drives and mobile devices must be wiped or destroyed before disposal, not simply deleted.

Want to learn more?

Learn More

Does the HIPAA Security Rule apply to paper records?

No. The Security Rule applies only to electronic protected health information (ePHI) — any PHI that is created, stored, transmitted, or received in electronic form. Paper records are covered by the HIPAA Privacy Rule, which has separate requirements.

What is the most common Security Rule violation for small practices?

Failure to conduct and document a risk analysis. OCR has cited missing or incomplete risk analyses in the majority of enforcement actions. Practices often have reasonable security controls in place but cannot demonstrate they analyzed their risks before implementing them.

Does the Security Rule require encryption?

Encryption is an 'addressable' implementation specification under the Security Rule, not a strict requirement. Practices must either implement encryption or document why an equivalent alternative is sufficient. In practice, encrypting ePHI in transit and at rest is the standard approach because alternatives are difficult to justify.

What is the difference between 'required' and 'addressable' safeguards?

Required specifications must be implemented exactly as written. Addressable specifications must be implemented if reasonable and appropriate for the practice's size and risk profile — or the practice must document why an alternative measure was chosen instead. 'Addressable' does not mean optional.

How does HIPAA define 'reasonable and appropriate' for a small practice?

The Security Rule instructs covered entities to consider their size, complexity, technical capabilities, and the cost of security measures relative to the risk. A three-provider clinic is not expected to implement the same controls as a regional hospital network, but it is expected to document that its chosen safeguards are proportionate to its specific risks.

Keep reading

HIPAA Technical Safeguards: What Small Practices Actually Need

HIPAA's technical safeguards require access controls, audit controls, integrity protections, and transmission security for ePHI. Here's what each one means for a small clinic.

HIPAA Encryption Requirements for Medical Practices (2026)

HIPAA doesn't mandate encryption — but alternatives must be documented. For practical purposes, encryption is the standard you must meet for ePHI at rest and in transit.

HIPAA Compliance Audit: What OCR Looks For and How to Prepare

Learn what a HIPAA compliance audit involves, what documents OCR requests, and how small practices can stay audit-ready without a full-time compliance officer.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.