HIPAA Security Rule requirements

HIPAA Security Rule (§164.308-316) mandates flexible safeguards for ePHI protection, categorized as administrative, physical, and technical, with required and addressable specifications. Proposed 2026 updates eliminate the addressable distinction, mandating controls like encryption and MFA amid rising cyber threats. Programs must demonstrate ongoing effectiveness through risk-based implementation, tying into your compliance program and BAA frameworks.​ Administrative safeguards These focus on processes and people:

Specification	Requirements	2026 Updates
Security Management (§164.308(a)(1))	Risk analysis, management, sanction policy, info systems activity review	Annual penetration tests, biannual scans; objective third-party assessments.​
Assigned Security Responsibility (§164.308(a)(2))	Designate officer	Documented governance with C-suite reporting.
Workforce Security (§164.308(a)(3))	Authorization, clearance, supervision	Unique credentials; revoke on termination.
Security Awareness Training (§164.308(a)(5))	Phishing, password management, incident reporting	Annual mandatory; basic/enhanced cybersecurity hygiene.​
Contingency Plans (§164.308(a)(7))	Data backup, disaster recovery, emergency access	Centralized incident response; 24-hour BA reporting.​

Physical safeguards Protect facilities and devices:

• Facility Access Controls (§164.308(a)(8)): Contingency operations, facility security plans, access records.
• Workstation Use/Security (§164.308(a)(6-7)): Secure locations, auto-logoff (5-15 min), screen privacy.
• Device/Portable Media (§164.308(a)(12)): Disposal, media re-use, data movement policies.​

Technical Safeguards Core tech protections:

Specification	Requirements	2026 Focus
Access Control (§164.308(a)(4))	Unique user IDs, emergency access, auto-logoff	Mandatory MFA for PHI systems/remote access.​
Audit Controls (§164.308(a)(1)(ii)(D))	Hardware/software logs for ePHI activity	Centralized logging/monitoring; regular reviews.
Integrity (§164.308(a)(1)(ii)(C))	Mechanism to authenticate ePHI	Detection of unauthorized changes.
Person/Entity Authentication (§164.308(a)(4)(ii)(B))	Verify identities before access	Strengthened via MFA/encryption.
Transmission Security (§164.308(a)(4)(ii)(C))	Integrity controls, encryption	Mandatory for ePHI at rest/transit (AES-256).

Implementation notes Conduct enterprise risk analysis scoping all ePHI assets, including cloud/SaaS; and remediate with a prioritized roadmap. Integrate into compliance program (OIG seven elements), BAAs, and OCR response plans from prior discussions. Sprinto automates audits, mappings, and evidence for 2026 prescriptive shifts. Retain docs 6 years; leverage NIST 800-66/HITRUST for safe harbor.