Under HIPAA, the Security Rule requires covered entities to implement which types of safeguards?

HIPAA’s Security Rule requires a comprehensive approach to protecting electronic protected health information through three kinds of safeguards: administrative, physical, and technical. Administrative safeguards establish the governance of security—policies, risk analysis and management, workforce training, access authorization, security incident procedures, and contingency planning. Physical safeguards address the actual environment and devices—controls on facility access, workstation security, and controls for device and media handling. Technical safeguards are the technology-based measures that protect and control access to ePHI—such as access control mechanisms, audit controls, data integrity protections, authentication, encryption where appropriate, and transmission security. Since the rule calls for all three types, meeting only one or two areas wouldn’t satisfy the standard; a full spectrum of safeguards across administrative, physical, and technical domains is required.