Which type of safeguards does the HIPAA Security Rule require for electronic protected health information (ePHI) in covered entities?

Protecting electronic protected health information requires a comprehensive approach that covers three distinct areas: administrative, physical, and technical safeguards. Administrative safeguards establish the overall security governance and processes, such as risk analysis, security management, workforce training, and incident response procedures. Physical safeguards protect the actual locations and devices where ePHI is stored or accessed, including facility access controls, workstation security, and device/media controls. Technical safeguards implement the technology and related policies that enforce access control, protect data integrity, safeguard during transmission, and support audit controls and authentication. Because the rule aims to safeguard ePHI across people, processes, and technology, covered entities must implement safeguards in all three areas.