The Three Safeguard Categories: Administrative, Physical & Technical
Duration: 55 min · Level: Intermediate · Module: 6. HIPAA Security Rule & Access Control · Focus: security-rule, safeguards, administrative, physical, technical
By the end of this lesson you will be able to explain and apply:
- Administrative safeguards (required)
- Risk analysis
- Physical safeguards
- Technical safeguards
- Addressable vs required safeguards
Why this matters
The HIPAA Security Rule requires covered entities to implement safeguards across three categories.
Overview
The HIPAA Security Rule requires covered entities to implement safeguards across three categories. Administrative safeguards are policies and procedures. Physical safeguards protect hardware and buildings. Technical safeguards are the controls built into systems. All three must be present for compliance.
Key concepts
Administrative safeguards (required): security management process (risk analysis + risk management), assigned security officer, workforce training, information access management, contingency plan (data backup, disaster recovery, emergency mode)
- Risk analysis: required by HIPAA — must identify where ePHI lives, threats to ePHI, vulnerabilities, and current controls; documented and updated regularly; failure to conduct risk analysis is the most commonly cited HIPAA violation
- Physical safeguards: facility access controls (badge readers, locked server rooms), workstation use policies (screen locks, no PHI on unsecured workstations), device and media controls (encrypted laptops, mobile device management)
- Technical safeguards: access controls (unique user IDs + passwords, automatic logoff), audit controls (logging all access to ePHI), integrity controls (hash verification to detect tampering), transmission security (encryption for ePHI in transit)
- Addressable vs required safeguards: "required" must be implemented; "addressable" must be implemented OR the entity must document why it is not reasonable and what equivalent alternative was implemented instead
- Encryption standard: HIPAA does not specify encryption algorithm; NIST recommends AES-256 for data at rest and TLS 1.2+ for data in transit; if encrypted device is lost/stolen, no breach notification required
Check your understanding
Try to recall each answer before expanding it.
Q1. What do you know about Administrative safeguards (required)?
security management process (risk analysis + risk management), assigned security officer, workforce training, information access management, contingency plan (data backup, disaster recovery, emergency mode)
Q2. What do you know about Risk analysis?
required by HIPAA — must identify where ePHI lives, threats to ePHI, vulnerabilities, and current controls; documented and updated regularly; failure to conduct risk analysis is the most commonly cited HIPAA violation
Q3. What do you know about Physical safeguards?
facility access controls (badge readers, locked server rooms), workstation use policies (screen locks, no PHI on unsecured workstations), device and media controls (encrypted laptops, mobile device management)
Q4. What do you know about Technical safeguards?
access controls (unique user IDs + passwords, automatic logoff), audit controls (logging all access to ePHI), integrity controls (hash verification to detect tampering), transmission security (encryption for ePHI in transit)
Q5. What do you know about Addressable vs required safeguards?
"required" must be implemented; "addressable" must be implemented OR the entity must document why it is not reasonable and what equivalent alternative was implemented instead
Next: C6.2 Role-Based Access Control & Minimum Necessary Access →
Part of Module 6: HIPAA Security Rule & Access Control.