Skip to content


Safeguards Required by the HIPAA Security Rule

The HIPAA Security Rule requires covered entities to identify and analyze risks to e-PHI. As part of this process the covered entity must reduce vulnerabilities by implementing administrative, physical, and technical security measures.


Administrative safeguards include the following types of controls:

  • Designated, responsible security management
  • Periodic security awareness and HIPAA training for all personnel who handle e-PHI
  • Periodic acknowledgment of security policies and procedures
  • Security policies and procedures with sanctions for workforce violations
  • Periodic risk assessment related to e-PHI vulnerabilities and coverage specific to the Security Rule
  • Periodic internal control and security policy and procedures assessments specific to coverage of the Security Rule
  • Physical and logical access least privilege policies and controls

Physical safeguards include the following types of controls:

  • Limited physical access to facilities and spaces where e-PHI is stored based on least privilege
  • Policies and procedures covering proper use and access to devices and electronic media
  • Policies and procedures related to proper physical or electronic movement of e-PHI and media containing e-PHI
  • Policies and procedures related to proper wiping and/or disposal of e-PHI and media containing e-PHI

Technical safeguards include the following types of controls:

  • Policies and procedures covering least privilege logical access to e-PHI
  • Logging and monitoring over access and other activities in systems that contain e-PHI
  • Edit checks to validate the accuracy and completeness of e-PHI
  • IDS, IPS, and firewalls in place and monitored
  • Periodic monitoring of firewall configurations
  • Data encryption at rest and in transit

McKonly & Asbury is experienced in assisting clients in identifying and implementing the controls needed to pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.

About the Author

Lynnanne Bocchi

Lynnanne joined McKonly & Asbury in 2018 and is currently a Principal with the firm. She is a key member of our firm’s System and Organization Controls (SOC) Practice, preparing SOC 1, SOC 2, and SOC 3 reports for our clients. She holds th… Read more

Related Services

Related Industries

Subscribe to Our Newsletter

Contact Us