HIPAA Security Rule requires covered entities to implement administrative, physical and technical safeguards to protect the confidentiality and integrity of Protected Health Information (PHI).

Covered entities must assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI that they create, receive, maintain or transmit.

Covered entities must ensure that all employees are trained on HIPAA Security Rule requirements and that they understand and follow the policies and procedures implemented by the organization.

Covered entities must develop and implement written policies and procedures that address the security standards outlined in the HIPAA Security Rule.

Covered entities must implement technical safeguards to protect electronic PHI from unauthorized access, disclosure, alteration or destruction.

Covered entities must implement physical safeguards to protect electronic PHI from unauthorized access, disclosure, alteration or destruction.

Covered entities must implement administrative safeguards to protect electronic PHI from unauthorized access, disclosure, alteration or destruction.

Covered entities must monitor and audit the use and disclosure of PHI.

Covered entities must ensure that any business associates they contract with are compliant with the HIPAA Security Rule.

Covered entities must ensure that any subcontractors they contract with are compliant with the HIPAA Security Rule.

Covered entities must implement a mechanism for detecting security incidents and responding to them promptly.

Covered entities must have a process in place for responding to security incidents and data breaches.

Covered entities must have a process in place for regularly testing and monitoring the effectiveness of their security measures.

Covered entities must provide reasonable safeguards to protect the confidentiality and integrity of PHI when it is transmitted or stored electronically.