The HIPAA Security Rule, codified at 45 CFR Part 164, Subpart C, establishes a comprehensive framework of administrative, physical, and technical safeguards that covered entities and business associates must implement to protect electronic protected health information (ePHI). Effective compliance requires understanding the distinction between required implementation specifications — which must be implemented exactly as specified — and addressable specifications — which must be implemented if reasonable and appropriate, or documented with a reasoned alternative measure.
This checklist covers all safeguard categories as of May 2025, incorporating the HHS OCR HIPAA Security Rule Final Rule update (published April 22, 2024, effective May 7, 2024, with a compliance date of February 16, 2026 for most covered entities) which added several new required specifications related to vulnerability scanning, multi-factor authentication, and network segmentation.
Covered entities and business associates may use any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications of the Security Rule. The factors to be considered include: (1) the size, complexity, and capabilities of the covered entity or business associate; (2) the covered entity's or business associate's technical infrastructure, hardware, and software security capabilities; (3) the costs of security measures; and (4) the probability and criticality of potential risks to ePHI.
1. Administrative Safeguards — 45 CFR § 164.308
Administrative safeguards are the policies, procedures, and management actions used to select, develop, implement, and maintain security measures to protect ePHI and manage the conduct of the covered entity's workforce. They represent the largest category of HIPAA Security Rule requirements.
1a. Security Management Process (§ 164.308(a)(1))
-
Required Risk Analysis: Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI across all systems that create, receive, maintain, or transmit ePHI. Must be documented. (§ 164.308(a)(1)(ii)(A))
-
Required Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level. Risk management plan must document chosen safeguards and the rationale for their selection. (§ 164.308(a)(1)(ii)(B))
-
Addressable Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures. Must document sanctions applied. (§ 164.308(a)(1)(ii)(C))
-
Required Information System Activity Review: Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (§ 164.308(a)(1)(ii)(D))
1b. Workforce Security (§ 164.308(a)(3))
-
Addressable Authorization and Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed. (§ 164.308(a)(3)(ii)(A))
-
Addressable Workforce Clearance: Implement procedures to determine that a workforce member's access to ePHI is appropriate. Background checks and access reviews. (§ 164.308(a)(3)(ii)(B))
-
Addressable Termination Procedures: Implement procedures for terminating access to ePHI when a workforce member's employment ends or role changes. Account deprovisioning within 24 hours is industry best practice. (§ 164.308(a)(3)(ii)(C))
1c. Security Awareness and Training (§ 164.308(a)(5))
-
Required Security Awareness Program: Implement a security awareness and training program for all workforce members (including management). Must be provided to new workforce members and updated when environmental or operational changes affect the security of ePHI. (§ 164.308(a)(5)(i))
-
Addressable Malicious Software Protection: Procedures for guarding against, detecting, and reporting malicious software. (§ 164.308(a)(5)(ii)(B))
-
Addressable Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies. (§ 164.308(a)(5)(ii)(C))
-
Addressable Password Management: Procedures for creating, changing, and safeguarding passwords. (§ 164.308(a)(5)(ii)(D))
1d. Contingency Plan (§ 164.308(a)(7))
-
Required Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of ePHI. Backups must be tested regularly; 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite) is the industry standard. (§ 164.308(a)(7)(ii)(A))
-
Required Disaster Recovery Plan: Establish (and implement as needed) procedures to restore lost data. Must include documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). (§ 164.308(a)(7)(ii)(B))
-
Required Emergency Mode Operation Plan: Procedures for enabling continuation of critical business processes for protecting ePHI while operating in emergency mode. (§ 164.308(a)(7)(ii)(C))
-
Addressable Applications and Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components. (§ 164.308(a)(7)(ii)(E))
2. Physical Safeguards — 45 CFR § 164.310
Physical safeguards govern the physical measures, policies, and procedures used to protect covered entities' electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Effective physical safeguards prevent unauthorized individuals from accessing systems that contain ePHI.
2a. Facility Access Controls (§ 164.310(a)(1))
-
Addressable Contingency Operations: Procedures that allow facility access in support of restoration of lost data under disaster recovery and emergency mode operations plans. (§ 164.310(a)(2)(i))
-
Addressable Facility Security Plan: Policies and procedures to safeguard the facility and the equipment within from unauthorized physical access, tampering, and theft. (§ 164.310(a)(2)(ii))
-
Addressable Access Control and Validation: Procedures to control and validate a person's access to facilities based on role or function. (§ 164.310(a)(2)(iii))
-
Addressable Maintenance Records: Maintain documentation of repairs and modifications to physical components of facilities related to security (hardware, walls, doors, locks). (§ 164.310(a)(2)(iv))
2b. Workstation and Device Controls (§ 164.310(b)–(d))
-
Required Workstation Use Policy: Specify proper functions to be performed, manner in which those functions are to be performed, and physical attributes of surroundings of workstations that access ePHI. (§ 164.310(b))
-
Required Workstation Security: Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users. Screen privacy filters, cable locks, and clean desk policies are common implementations. (§ 164.310(c))
-
Required Device and Media Disposal: Implement policies and procedures for final disposal of ePHI from electronic media. Certificates of destruction required. NIST SP 800-88 media sanitization standards apply. (§ 164.310(d)(1))
-
Addressable Hardware Inventory: Maintain records of the movements of hardware and electronic media and persons responsible. (§ 164.310(d)(2)(iii))
3. Technical Safeguards — 45 CFR § 164.312
Technical safeguards are the technology and policies and procedures for its use that protect ePHI and control access to it. These are typically enforced through software controls, encryption configurations, and system architecture decisions.
3a. Access Controls (§ 164.312(a)(1))
-
Required Unique User Identification: Assign unique names and/or numbers for identifying and tracking user identity for all users who access systems containing ePHI. Shared accounts are a HIPAA violation. (§ 164.312(a)(2)(i))
-
Required Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency. Break-the-glass access procedures with post-event audit reviews. (§ 164.312(a)(2)(ii))
-
Addressable Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. 15-minute idle timeout is healthcare standard. (§ 164.312(a)(2)(iii))
-
Addressable Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI stored on servers, databases, and portable media. AES-256 is the current standard. (§ 164.312(a)(2)(iv))
3b. Audit Controls, Integrity, and Transmission Security (§ 164.312(b)–(e))
-
Required Audit Controls: Implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit logs must be retained per organizational policy (minimum 6 years recommended to align with Documentation Standard § 164.316(b)(2)). (§ 164.312(b))
-
Addressable Integrity Mechanisms: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. Checksums, digital signatures, and file integrity monitoring. (§ 164.312(c)(2))
-
Required Person/Entity Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. Multi-factor authentication (MFA) satisfies this requirement and is required under the 2024 Final Rule for all remote access to ePHI. (§ 164.312(d))
-
Required Transmission Security: Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks. All PHI transmitted over public networks must use TLS 1.2 or higher. (§ 164.312(e)(1))
-
Addressable Encryption in Transit: Implement a mechanism to encrypt ePHI in transit whenever deemed appropriate. Given OCR enforcement trends, encryption of all network-transmitted PHI is considered a de facto requirement regardless of the addressable designation. (§ 164.312(e)(2)(ii))
4. OCR Civil Money Penalty Reference Table (2025)
The following table reflects the four-tier civil money penalty structure established under 45 CFR § 160.404 and adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015:
| Penalty Tier | Culpability Standard | Per-Violation Range | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know and could not have known (with reasonable diligence) | $137 – $68,928 | $2,067,813 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,379 – $68,928 | $2,067,813 |
| Tier 3 | Willful neglect — corrected within 30 days of discovery | $13,785 – $68,928 | $2,067,813 |
| Tier 4 | Willful neglect — not corrected within 30 days | $68,928 per violation | $2,067,813 |
In addition to civil money penalties, the HIPAA criminal enforcement provisions under 42 U.S.C. § 1320d-6 allow the Department of Justice to prosecute individuals who knowingly obtain, disclose, or use PHI in violation of HIPAA. Penalties range from $50,000 and 1 year imprisonment for basic violations to $250,000 and 10 years imprisonment for violations committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
5. Documentation Requirements — 45 CFR § 164.316
The Security Rule requires covered entities and business associates to maintain written (which may be electronic) documentation of all security policies, procedures, actions, activities, and assessments required under the Security Rule. All documentation must be retained for a minimum of 6 years from the date of creation or the date the document was last in effect, whichever is later (45 CFR § 164.316(b)(2)(i)).
Documentation must be made available to those workforce members responsible for implementing the procedures, and must be reviewed and updated periodically in response to environmental or operational changes that affect the security of ePHI (§ 164.316(b)(2)(iii)).
6. Relationship to the Privacy Rule
The Security Rule governs ePHI exclusively — electronic protected health information. The Privacy Rule (45 CFR §§ 164.500–164.534) covers PHI in all forms: electronic, paper, and oral. A covered entity may fully satisfy the Security Rule while still violating the Privacy Rule (e.g., impermissible paper-based disclosures). A comprehensive HIPAA compliance program must address both rules simultaneously, along with the Breach Notification Rule (45 CFR §§ 164.400–164.414) and, for applicable entities, the Omnibus Rule requirements added by HITECH (Pub. L. 111-5, § 13401 et seq.).
Covered entities and business associates must perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under the Security Rule and subsequently in response to environmental or operational changes affecting the security of ePHI, that establishes the extent to which an entity's security policies and procedures meet the requirements of the Security Rule. An evaluation must be conducted at least annually, or following any significant operational change.
Summary: 2025 HIPAA Compliance Priority List
Based on OCR enforcement patterns, settlement findings, and the 2024 Security Rule update, the following represent the highest-priority compliance gaps in U.S. healthcare organizations as of May 2025:
- Documented, current risk analysis — cited in over 90% of OCR settlement agreements (§ 164.308(a)(1)(ii)(A))
- Multi-factor authentication — required for all remote ePHI access under the 2024 Final Rule
- Executed BAAs with all business associates — a direct violation if PHI is shared without one (§ 164.504(e))
- Audit log review program — not just enabling logs, but actively reviewing them (§ 164.312(b))
- Workforce training with documented completion — required annually (§ 164.308(a)(5))
- Encryption of ePHI in transit and at rest — now effectively required under 2024 updates
- Device and media disposal procedures with certificates of destruction — portable media breaches remain among the most common reportable events (§ 164.310(d))
For tool recommendations aligned with each of these priorities, see the HipaaDirectory.com Compliance Tool Listings — 25 verified HIPAA-compliant tools mapped to specific 45 CFR provisions.