HIPAA Security Guide Quick Reference

A quick-reference tour of the HIPAA Security Rule for practice administrators, security officials, and auditors who need the whole picture in 10 minutes.

CMMC-AB RPO #1449 · BBB A+ Since 2003 · Healthcare Compliance Specialists
Call Penny → (919) 348-4912 See ComplianceArmor
Regulation

What the regulation requires

45 CFR Part 164 Subpart C (Security Rule) The Security Rule applies to every covered entity and business associate that creates, receives, maintains, or transmits electronic protected health information. It requires reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

This page is the quick map. For deeper dives, follow the links into the individual standards. For a buyer's playbook, see the HIPAA 4-pillars guide. For implementation help, call Penny.

Implementation specifications

9 standards

Administrative

Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, BA Contracts. (164.308)

4 standards

Physical

Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls. (164.310)

5 standards

Technical

Access Control, Audit Controls, Integrity, Person or Entity Authentication, Transmission Security. (164.312)

4 standards

Organizational + Documentation

BA Contract Content, Group Health Plans, Policies and Procedures, Documentation (six-year retention). (164.314 - 164.316)

Implementation

How Petronella implements this safeguard

Every Petronella HIPAA engagement maps 45 CFR Part 164 Subpart C (Security Rule) to documented evidence in your environment. This is what that looks like in practice for the hipaa security guide standard:

  • Full HIPAA program: risk analysis, risk management, policy and procedure set, training, BAA management, IR retainer, annual evaluation.
  • Documentation engine through ComplianceArmor with policies, evidence, and training records under one BAA-covered roof.
  • Optional managed IT layer for the technical safeguards: tenant hardening, MFA, encryption, audit logging with six-year retention, patch cadence.
  • vCISO services for organizations that want a credentialed Security Official without hiring full-time.

Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.

Common Findings

Where most practices fall short

OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR Part 164 Subpart C (Security Rule). We surface these before they become a finding.

  • Practices want one document that covers the whole rule but get lost in the structure of 164.308 - 164.316. This page is that map.
  • Most quick guides on the internet are years out of date - written before HITECH, before the 2013 Omnibus, and before SP 800-66 Rev 2.
  • Generic guides do not distinguish between Required and Addressable implementation specs, leading to under- or over-scoping.
  • Most do not mention the six-year documentation retention requirement, which is one of the most-cited compliance gaps.
Related

Related HIPAA safeguards

HIPAA Security Guide interacts with several other Security Rule standards. Cover them together for a defensible program.

Security Rule Compliance Overview Security Management Process HIPAA to NIST Mapping NIST SP 800-66 Implementation Guide Back to HIPAA compliance pillar HIPAA security risk assessment HIPAA 4-pillars playbook

Need help with HIPAA Security Guide?

Penny answers before the third ring, asks 3 qualifying questions, then books your free 15. Or jump straight to the platform that runs your HIPAA program.

Call Penny → (919) 348-4912 See the platform

← Back to HIPAA compliance pillar