Which categories of safeguards does the HIPAA Security Rule require?

At a high level, the HIPAA Security Rule requires protecting electronic protected health information (e-PHI) through a comprehensive approach that covers people, processes, and technology. This means administrative safeguards, physical safeguards, and technical safeguards all must be addressed, not just one area. Administrative safeguards involve the policies and procedures that manage how the workforce protects e-PHI—things like security management processes, defining and enforcing roles and access, workforce training, and incident response and contingency planning. Physical safeguards focus on the protection of the physical environment and devices, such as controlling facility access, securing workstations, and managing devices and media. Technical safeguards cover the technology-based controls, including access controls (unique user IDs and emergency access procedures), audit controls, data integrity measures, authentication, and protections for data in transit. Taken together, these three categories create a layered defense to ensure e-PHI remains confidential, available, and protected from improper access or disclosure.