HIPAA Security Rule Compliance 45 CFR 164 Subpart C
The HIPAA Security Rule sits at 45 CFR Part 164 Subpart C. It defines the administrative, physical, and technical safeguards every covered entity and business associate must implement to protect electronic protected health information.
What the regulation requires
The Security Rule has 22 standards organized into Administrative Safeguards (164.308), Physical Safeguards (164.310), Technical Safeguards (164.312), Organizational Requirements (164.314), and Policies / Procedures / Documentation (164.316). Across these, there are 42 implementation specifications - 20 required, 22 addressable.
Implementation specifications
Administrative Safeguards (164.308)
Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, Business Associate Contracts. (164.308)
Physical Safeguards (164.310)
Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls. (164.310)
Technical Safeguards (164.312)
Access Control, Audit Controls, Integrity, Person or Entity Authentication, Transmission Security. (164.312)
Organizational Requirements (164.314)
Business Associate Contract content, Group Health Plan requirements. (164.314)
Policies and Procedures (164.316)
Maintain written policies and procedures, retain documentation for six years from creation or last effective date. (164.316)
How Petronella implements this safeguard
Every Petronella HIPAA engagement maps 45 CFR 164.306(a) to documented evidence in your environment. This is what that looks like in practice for the hipaa security rule compliance standard:
- Full Security Rule program build covering all 22 standards and 42 implementation specifications, with documented evidence per spec.
- Annual evaluation under 164.308(a)(8) producing a remediation roadmap fed back into the risk register.
- ComplianceArmor as the documentation engine - policies, procedures, training, BAAs, audit logs, and incident records in one auditable repository with six-year retention.
- Quarterly leadership review with the Security Official, KPI dashboards, and a current view of every open finding.
Built on top of ComplianceArmor for documentation, training records, and BAA inventory, with optional HIPAA managed IT services for the technical safeguard layer and vCISO services for the named Security Official role.
Where most practices fall short
OCR resolution agreements, HHS audit reports, and our own engagements show the same handful of gaps under 45 CFR 164.306(a). We surface these before they become a finding.
- Security Rule treated as a one-time implementation rather than a continuous program (the headline finding in nearly every OCR resolution agreement).
- Subset of safeguards covered (typically Access Control and Encryption) while administrative and physical safeguards are skipped.
- Documentation does not survive the six-year retention requirement under 164.316(b)(2)(i).
- No alternative-measure documentation for addressable specs that the practice has chosen not to implement directly.
Related HIPAA safeguards
HIPAA Security Rule Compliance interacts with several other Security Rule standards. Cover them together for a defensible program.
Need help with HIPAA Security Rule Compliance?
Penny answers before the third ring, asks 3 qualifying questions, then books your free 15. Or jump straight to the platform that runs your HIPAA program.