HHS · HIPAA Security Rule
HIPAA Security Rule Readiness: Safeguards for ePHI
The HIPAA Security Rule sets national standards for protecting electronic protected health information, or ePHI. It applies to covered entities such as health plans and providers, and to the business associates that handle ePHI on their behalf. Rather than prescribe specific products, it requires a program of administrative, physical, and technical safeguards appropriate to each organization.
For compliance officers and CISOs, the rule's demands are ongoing rather than one-time: a current risk analysis, controls that match the risks it identifies, and evidence that safeguards actually operate. As AI tools begin to touch clinical and patient data, the question of whether ePHI is properly governed becomes more urgent. This page explains the requirements and how to keep them continuously evidenced.
Or call us directly: (877) 945-7177
What the rule requires
The Security Rule is organized into three categories of safeguards. Administrative safeguards cover the policies, workforce training, and risk management that run the program. Physical safeguards protect the facilities and devices where ePHI lives. Technical safeguards cover the technology controls, including access controls, audit controls, and mechanisms to protect data in transit and at rest.
Two elements anchor the rule. A required, ongoing risk analysis identifies threats and vulnerabilities to ePHI and drives the choice of controls. And whenever a business associate handles ePHI, a business associate agreement must be in place, extending the safeguard obligations down the chain. Encryption and access and audit controls are central technical expectations for demonstrating protection.
- Administrative safeguards: risk analysis, risk management, workforce training
- Physical safeguards: facility and device protections for ePHI
- Technical safeguards: access controls, audit controls, transmission security
- A current, ongoing risk analysis driving control decisions
- Encryption of ePHI where appropriate, and business associate agreements with vendors
Where firms fall short
The single most cited HIPAA weakness is the risk analysis. Organizations either never complete a thorough one, or they do it once and never update it, so their safeguards are no longer matched to the risks they actually face. Enforcement repeatedly turns on this gap.
The other growing weakness is untracked vendors and tools that touch ePHI. New cloud services and AI tools are adopted without a business associate agreement, without confirming access and audit controls, and without appearing in the risk analysis. When PHI flows into systems no one governs, the organization cannot demonstrate control of it.
- Risk analysis that is missing, incomplete, or years out of date
- AI tools processing PHI without safeguards or a business associate agreement
- Weak access controls and no meaningful audit logging of ePHI access
- ePHI left unencrypted where encryption would be appropriate
- Vendors handling ePHI outside any documented agreement or oversight
How Centience helps
Centience applies continuous governance to ePHI safeguards by tracking whether your risk analysis is current, whether access and audit controls are in place, and whether every tool and vendor touching PHI, including AI services, is covered by an agreement and by your safeguards program. It keeps the evidence trail that demonstrates controls are operating, not just documented.
Start with the free Governance Score. It shows where your risk analysis, technical safeguards, and business associate coverage have gaps, and where AI tools raise PHI governance questions, so your Security Rule program stays audit-ready and continuously evidenced.
FAQ
Frequently Asked Questions
Who must comply with the HIPAA Security Rule?+
Covered entities such as health plans, healthcare clearinghouses, and most providers, along with the business associates that create, receive, maintain, or transmit ePHI on their behalf. Business associates are directly responsible for meeting applicable Security Rule requirements.
Is a risk analysis actually required?+
Yes. Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to ePHI is a foundational requirement, and it is expected to be kept current rather than performed once. It is one of the most common areas of enforcement findings.
Is encryption mandatory under the rule?+
The rule treats encryption as an addressable specification, which means an organization must assess whether it is reasonable and appropriate and, if so, implement it, or document why an equivalent alternative is used. In practice, encryption of ePHI is widely expected.
What about AI tools that process patient data?+
Any tool or vendor that handles ePHI, including AI services, falls within your safeguard and oversight obligations and generally requires a business associate agreement. Firms should confirm access and audit controls and include these tools in their risk analysis before PHI flows into them.
See where your firm stands — in minutes.
The free Governance Score gives you a 0–100 readiness score, a peer benchmark, and your priority gaps mapped to the rules that matter.
Get Your Free Governance ScoreOr call (877) 945-7177
