Ship AI without shipping risk.
glossary

What Is HIPAA?

What Is HIPAA?

Summary

HIPAA's Security Rule requires specific, documented safeguards for electronic protected health information across three categories: administrative, physical, and technical. A proposed update to the Security Rule (published January 2025, with a final rule expected in 2026) would make those requirements more prescriptive: mandatory encryption, MFA, network segmentation, and annual penetration testing. For healthcare organizations, access governance connects every safeguard category.

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting sensitive patient health information. Enforced by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), it applies to covered entities: healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

Violations carry real consequences: fines range from $100 to $50,000 per violation (up to $1.9 million annually per violation category), and willful neglect cases routinely result in seven-figure settlements.

HIPAA's security requirements are organized into three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. For IT and security teams, the Security Rule is where most of the operational requirements live. Organizations that also handle financial data often face parallel requirements under the GLBA Safeguards Rule, and many align their controls to NIST frameworks, making a unified identity governance approach more efficient than managing each framework separately.

The HIPAA Security Rule: what it actually requires

The Security Rule establishes three categories of safeguards for electronic protected health information (ePHI):

Administrative Safeguards

Policies, processes, and procedures that manage how ePHI is protected and who is responsible for protecting it.

  • Security management process: Risk analysis and risk management, sanctions for policy violations, and ongoing review of security systems including audit logs and access reports
  • Assigned security responsibility: A designated security official owns the information security program
  • Workforce security: Access to ePHI is restricted to employees who need it based on job function, with controls covering authorization, clearance, and offboarding
  • Information access management: Provisioning and revoking access to ePHI is governed by documented processes, with access levels tied to role and duty
  • Security awareness and training: All workforce members, including management, receive training on their security responsibilities
  • Security incident procedures: Documented procedures for responding to and mitigating unauthorized access or disclosure
  • Contingency planning: Data backup and disaster recovery plans, tested and revised regularly
  • Evaluation: Ongoing monitoring and assessment of the effectiveness of security policies

Physical Safeguards

Controls protecting the physical infrastructure where ePHI is stored or accessed.

  • Facility access control: Physical access to systems storing ePHI is restricted and aligned with role-based controls
  • Workstation security: Laptops, tablets, and workstations with access to ePHI are secured against unauthorized access
  • Device and media control: Removable media containing ePHI is tracked, controlled, and properly disposed of

Technical Safeguards

The technology and related policies that protect ePHI and control access to it.

  • Access control (45 CFR § 164.312(a)(1)): Role-based and just-in-time access controls restrict ePHI access to authorized users only, per the minimum necessary rule
  • Audit controls (45 CFR § 164.312(b)): Hardware and software mechanisms track and log system activity (logins, access events, and modifications to ePHI) for auditability
  • Integrity controls: Procedures protect ePHI from unauthorized alteration
  • Authentication: Identity verification (SSO, MFA, 2FA) is required before granting access to ePHI
  • Transmission security: ePHI transmitted electronically is encrypted and integrity-protected

The HIPAA Security Rule update: what's changing

The first major update to the HIPAA Security Rule since 2013 was formally proposed in the Federal Register on January 6, 2025. The 60-day comment period closed March 7, 2025. As of mid-2026, HHS has indicated a final rule is expected, though a coalition of industry associations led by CHIME has pushed back on the scope of the proposed changes. A slimmed-down final rule is considered likely.

One of the most significant structural changes in the proposal: the removal of the distinction between "required" and "addressable" implementation specifications. The "addressable" label led many covered entities to treat those controls as optional. Under the proposed update, all Security Rule requirements are mandatory.

Key proposed additions include:

  • Mandatory encryption of all ePHI at rest and in transit
  • Multi-factor authentication for all access to ePHI
  • Network segmentation to limit lateral movement in a breach
  • Technology asset inventory and network map updated at least annually, documenting all systems that handle ePHI
  • Vulnerability scanning every six months and penetration testing annually
  • Security Rule compliance audits conducted at least every 12 months
  • 72-hour data restoration requirement with documented contingency procedures
  • Annual verification of business associate cybersecurity measures

The direction aligns with what NIST, the GLBA Safeguards Rule, and HITRUST already require: documented, auditable controls, not flexible best-effort policies. Healthcare organizations that have been treating "addressable" specifications as optional should not wait for the final rule to start closing those gaps.

Where access governance fits in HIPAA compliance

The thread running through every administrative and technical safeguard is access. HIPAA's core security requirement is that only the right people access ePHI, and that you can prove it.

That requires more than an IdP and an access control list. It requires:

  • Access reviews: Regularly verifying that every person who has access to ePHI still needs it, and that access was approved appropriately
  • Least privilege: Ensuring workforce members have access only to the ePHI required for their job function, not whatever was provisioned when they started
  • Offboarding controls: Revoking access when workforce members leave immediately, not whenever the IT ticket gets processed
  • Just-in-time access: Granting temporary, time-limited access to sensitive systems rather than maintaining standing privileged access
  • Audit trails: Maintaining logs of who accessed what ePHI, when, and under what approval: the evidence your compliance team needs during an OCR audit

HIPAA and non-human identities

Healthcare organizations are deploying AI tools at scale: clinical decision support, revenue cycle automation, and patient communication platforms. Many of these tools access ePHI as part of their function.

A clinical AI agent that reads patient records to generate care recommendations is an identity with access to protected health information. HIPAA's access control and audit requirements apply to that agent the same way they apply to a human employee. Most organizations haven't caught up to this yet.

Ensuring non-human identities have scoped, reviewable, auditable access to ePHI is an emerging HIPAA compliance requirement that traditional tools aren't built to handle. See also: non-employee access management and vendor privileged access.

How C1 helps healthcare organizations meet HIPAA requirements

C1's Compliance & Risk Management platform addresses the access control, audit, and workforce security requirements at the center of HIPAA compliance:

  • Intelligent Access Reviews: automated campaigns that replace manual spreadsheet reviews with AI-driven, documented, auditable evidence. "The time our managers spend on reviews has gone from hours to less than 30 minutes." — Roberto Mateo, VP of IT Business Operations, PriceSmart. C1 customers see an 85% reduction in access review time and 100% on-time completion
  • Least privilege enforcement: Dynamic Access Controls continuously monitor for over-provisioned access across every application, with automated flagging of orphaned accounts, unused access, and over-permissioned accounts
  • Joiner-mover-leaver (JML) automation: access provisioned at hire, adjusted at role change, revoked at departure, automatically, not whenever the IT ticket gets processed
  • Just-in-Time Access: time-bound grants for sensitive ePHI systems replacing standing access, with automatic revocation at expiry. 95% reduction in standing privileges, <60 seconds from request to provisioned access
  • Separation of duties detection: automatic flagging of toxic access combinations across clinical and administrative applications before auditors find them
  • AI agent governance: every clinical AI tool, every MCP connection, and every agent action touching ePHI is logged, policy-enforced, and auditable as a first-class identity
  • Audit-ready reporting: access history and review evidence exportable on demand for OCR audits, with no manual log review required

Healthcare organizations operating under multiple frameworks should also review HITRUST certification, which provides a unified control framework that maps to HIPAA, NIST, and other standards. For broader identity governance strategy, see the identity governance best practices guide and non-employee access management.

Stay in touch

The best way to keep up with identity security tips, guides, and industry best practices.

Explore more posts

 Identity Security: Processes, Use Cases & How to Implement

Identity Security: Processes, Use Cases & How to Implement

11 Best Access Governance Software for Identity Management in 2026

11 Best Access Governance Software for Identity Management in 2026

How to Stay Compliant with User Access Reviews

How to Stay Compliant with User Access Reviews