HIPAA Security Rule + Checklist: Definitive Guide

In February 2016, Jocelyn Samuels, then Director of the Office for Civil Rights (OCR), delivered a firm warning regarding HIPAA violations, emphasizing that while voluntary compliance is preferred, enforcement through litigation is very much on the table. This was not a symbolic statement. In fact, it marked a turning point in how seriously the OCR would pursue organizations that failed to safeguard protected health information (PHI).

The consequences have been significant. The University of Texas MD Anderson Cancer Center was fined over $4.3 million in 2018 due to unencrypted devices containing electronic PHI (ePHI). In another landmark case, Advocate Health Care Network paid a $5.5 million settlement in 2017 after losing the records of nearly 4 million individuals in multiple data breaches. Since 2016 alone, healthcare organizations and their business associates have paid over $75 million in fines for HIPAA non-compliance, demonstrating the real financial risk of neglecting proper safeguards.

At the heart of HIPAA enforcement is the HIPAA Security Rule, a foundational component of the broader HIPAA Compliance Framework. This rule outlines the technical, physical, and administrative safeguards required to protect ePHI, particularly when developing or managing healthcare software, apps, and digital platforms. Whether you’re a covered entity or a HealthTech vendor, adhering to the Security Rule is essential not just for legal compliance, but for protecting patient trust and ensuring data integrity.

In this article, we’ll break down the HIPAA Security Rule Checklist in detail, explaining its core components, why each safeguard matters, and how to implement them effectively. If you’re developing healthcare software or managing patient data, this guide is your roadmap to staying compliant and audit-ready in an increasingly security-conscious industry.

Defining the Roles: HIPAA Security Rules

The two most important actors in the HIPAA Compliance protocols are:

1. Covered entities (CE) 

A covered entity (CE) is any person, institution, or organization involved in ePHI exchange for medical billing and insurance purposes. This includes healthcare providers, healthcare clearinghouses, and health plans.

A hospital maintaining ePHI for its employees is generally not considered a CE.

However, the hospital may provide an employee health cover (or an employee assistance program) for its employees.

This hospital is then covered under HIPAA as a ‘hybrid entity’ (HE). A breach of this data (part of the employee benefits program) is still considered a HIPAA Breach Incident and must be promptly reported. 

2. Business associates (BA) 

A business associate (BA) provides an extension service to a CE. This could be any person/institution/organization who has access to the ePHI as part of its service to CE. Typically, following associates to the CE are considered as BA:

• Accountants
• Lawyers
• IT Partners
• Cloud service providers
• Any other type of service provider with access to ePHI

CE can engage third-party BA as per their own business requirement, such as HIPAA compliant hosting. However, they must get a signed assurance that the BA understands the rules and is ready to take measures to enforce those rules.

What is covered under the HIPAA Security Rule Checklist?

HIPAA Security Rule applies to all covered entities and business associates and has many moving parts to it.

Administrative safeguards under HIPAA Security Rule

1. Security Management Process

CEs must ensure appropriate policies and procedures are in place to detect, correct, and contain security violations. They must employ the procedures of the Risk Management Framework on an ongoing basis.

The framework should also be used when implementing any new policy that uses of ePHI directly or indirectly. 

2. Workforce security and Information Access Management

CEs must also ensure which employee role requires what kind of access to a patient’s ePHI and take concrete steps to enforce access control.

This implies that ePHI must be not be accessed freely but only on need basis. It may involve regular updating of data permissions on a case-by-case basis.

3. Security Awareness and Training

All those who have access to ePHI at any time (and for any amount of time) must be trained in what rules to follow and how to follow them.

4. Assigned Security Responsibility

The responsibility of complying with HIPAA Security Rules must be assigned to a security officer. The CE must provide a secondary security officer as a backup in the absence of primary security officer.

5. Security Incident Procedures

All security incidents or breaches must be promptly and thoroughly reported. Additionally, the CE can also setup processes to prevent these incidents from occurring in the first place.

These security support systems help predict and prevent security incidents before they occur.

6. Contingency Plans

The contingency plan must include the following:

• A disaster recovery plan
• A data backup plan
• A plan to maintain normalcy (or near-normalcy) of operations in the event of a breach

The CE must also regularly update these plans to keep pace with the evolving HIPAA regulations. The standard also defines how to handle critical software applications involved in the breach.

7. Evaluation 

• What ePHI will the BA have access to during the course of the agreement
• How it will be used
• How the BA plans to destroy/return the data after the agreement ends

So, the BA also effectively becomes a CE for the purpose of the agreement.

Physical safeguards under HIPAA Security Rule

The CE must lock their server rooms and have their access controlled and audited regularly. They can also use an appropriate number of CCTV cameras to track server room usage.

The CE must also password-protect all its computers or storage devices (in all the departments) that it uses in its IT process.

Security measures should also ensure these passwords are not weak and that users update them on a monthly (or quarterly) basis.

All the access standards are equally applicable to:

• desktops and laptops inside and outside the premises. 
• all types of removable storage drives (USB drives, internal and external hard drives) used with these devices.

Technical safeguards under HIPAA Security Rule

Technical safeguards typically would be developed into your healthcare application. Your software development company should be the ones to implement these.

1. Access controls

Access to all devices and documents that store and process ePHI must be granted on a need-only basis. The CE must also regularly audit access control lists to address any discrepancies in access without delay.

2. Audit Controls

In the case of a data breach, the CE must be able to show the complete trail of the breach – including who accessed what data and when. The audit report must include enough information to prove exactly how the breach occurred.

3. Integrity

The CE must be able to prove that it fully protects all the ePHI that its facility exchanges or stores from internal as well as external threats. When required, the CE must readily provide proof of access to breached documents.

4. Secure Transmission

The CE must secure transmission of data and access to this data at the receiving site by using appropriate security protocols. When required, the CE must be able to furnish proof of transmission security levels.

5. Personal Authentication

The CE should be able to securely prove that the person accessing the information is using only his/her own credentials. What this means is that employees must not share or lose their login credentials. 

CEs must control access to ePHI through advanced authentication methods like retina scans, 2-factor authentication, or other stronger authentication methods.

How to ensure HIPAA Compliance to avoid hefty fines

HIPAA compliance goes beyond the HIPAA security rule checklist. It also includes the Privacy rules, the Omnibus Rule, the Breach Notification Rule, and the Enforcement Rule. A thorough risk assessment is a must for all healthcare apps.

Arkenea has over 13 years of experience in developing HITRUST and HIPAA compliant apps. We are a two-time award-winning healthcare software development company. This makes us uniquely positioned to apply the right technical safeguards to your websites and mobile apps. Our solution architects can also help you identify and engage with the right HIPAA compliant cloud storage for your business needs.