HIPAA Security Rule v2024
Health Insurance Portability and Accountability Act - Security safeguards for electronic protected health information (ePHI)
This is a reference tool, not an authoritative source. For official documentation, visit www.hhs.gov.
131 All
§ 164.306 — General Requirements (24 requirements)
§ 164.306Security standards: General rules
§ 164.306(a)General requirements
§ 164.306(a)(1)§ 164.306(a)(1)
§ 164.306(a)(2)§ 164.306(a)(2)
§ 164.306(a)(3)§ 164.306(a)(3)
§ 164.306(b)Flexibility of approach
§ 164.306(b)(1)§ 164.306(b)(1)
§ 164.306(b)(2)§ 164.306(b)(2)
§ 164.306(b)(2)(i)§ 164.306(b)(2)(i)
§ 164.306(b)(2)(ii)§ 164.306(b)(2)(ii)
§ 164.306(b)(2)(iii)§ 164.306(b)(2)(iii)
§ 164.306(b)(2)(iv)§ 164.306(b)(2)(iv)
§ 164.306(c)Standards
§ 164.306(d)Implementation specifications
§ 164.306(d)(1)§ 164.306(d)(1)
§ 164.306(d)(2)§ 164.306(d)(2)
§ 164.306(d)(3)§ 164.306(d)(3)
§ 164.306(d)(3)(i)§ 164.306(d)(3)(i)
§ 164.306(d)(3)(ii)§ 164.306(d)(3)(ii)
§ 164.306(d)(3)(ii)(A)§ 164.306(d)(3)(ii)(A)
§ 164.306(d)(3)(ii)(B)§ 164.306(d)(3)(ii)(B)
§ 164.306(d)(3)(ii)(B)(1)§ 164.306(d)(3)(ii)(B)(1)
§ 164.306(d)(3)(ii)(B)(2)§ 164.306(d)(3)(ii)(B)(2)
§ 164.306(e)Maintenance
§ 164.308 — Administrative Safeguards (45 requirements)
§ 164.308Administrative safeguards
§ 164.308(a)§ 164.308(a)
§ 164.308(a)(1)§ 164.308(a)(1)
§ 164.308(a)(1)(i)Standard: Security management process
§ 164.308(a)(1)(ii)Implementation specifications:
§ 164.308(a)(1)(ii)(A)Risk analysis (Required)
§ 164.308(a)(1)(ii)(B)Risk management (Required)
§ 164.308(a)(1)(ii)(C)Sanction policy (Required)
§ 164.308(a)(1)(ii)(D)Information system activity review (Required)
§ 164.308(a)(2)Standard: Assigned security responsibility
§ 164.308(a)(3)§ 164.308(a)(3)
§ 164.308(a)(3)(i)Standard: Workforce security
§ 164.308(a)(3)(ii)Implementation specifications:
§ 164.308(a)(3)(ii)(A)Authorization and/or supervision (Addressable)
§ 164.308(a)(3)(ii)(B)Workforce clearance procedure (Addressable)
§ 164.308(a)(3)(ii)(C)Termination procedures (Addressable)
§ 164.308(a)(4)§ 164.308(a)(4)
§ 164.308(a)(4)(i)Standard: Information access management
§ 164.308(a)(4)(ii)Implementation specifications:
§ 164.308(a)(4)(ii)(A)Isolating health care clearinghouse functions (Required)
§ 164.308(a)(4)(ii)(B)Access authorization (Addressable)
§ 164.308(a)(4)(ii)(C)Access establishment and modification (Addressable)
§ 164.308(a)(5)§ 164.308(a)(5)
§ 164.308(a)(5)(i)Standard: Security awareness and training
§ 164.308(a)(5)(ii)Implementation specifications:
§ 164.308(a)(5)(ii)(A)Security reminders (Addressable)
§ 164.308(a)(5)(ii)(B)Protection from malicious software (Addressable)
§ 164.308(a)(5)(ii)(C)Log-in monitoring (Addressable)
§ 164.308(a)(5)(ii)(D)Password management (Addressable)
§ 164.308(a)(6)§ 164.308(a)(6)
§ 164.308(a)(6)(i)Standard: Security incident procedures
§ 164.308(a)(6)(ii)Implementation specification: Response and reporting (Required)
§ 164.308(a)(7)§ 164.308(a)(7)
§ 164.308(a)(7)(i)Standard: Contingency plan
§ 164.308(a)(7)(ii)Implementation specifications:
§ 164.308(a)(7)(ii)(A)Data backup plan (Required)
§ 164.308(a)(7)(ii)(B)Disaster recovery plan (Required)
§ 164.308(a)(7)(ii)(C)Emergency mode operation plan (Required)
§ 164.308(a)(7)(ii)(D)Testing and revision procedures (Addressable)
§ 164.308(a)(7)(ii)(E)Applications and data criticality analysis (Addressable)
§ 164.308(a)(8)Standard: Evaluation
§ 164.308(b)Business associate contracts and other arrangements
§ 164.308(b)(1)§ 164.308(b)(1)
§ 164.308(b)(2)§ 164.308(b)(2)
§ 164.308(b)(3)Implementation specifications: Written contract or other arrangement (Required)
§ 164.310 — Physical Safeguards (17 requirements)
§ 164.310Physical safeguards
§ 164.310(a)§ 164.310(a)
§ 164.310(a)(1)Standard: Facility access controls
§ 164.310(a)(2)Implementation specifications:
§ 164.310(a)(2)(i)Contingency operations (Addressable)
§ 164.310(a)(2)(ii)Facility security plan (Addressable)
§ 164.310(a)(2)(iii)Access control and validation procedures (Addressable)
§ 164.310(a)(2)(iv)Maintenance records (Addressable)
§ 164.310(b)Standard: Workstation use
§ 164.310(c)Standard: Workstation security
§ 164.310(d)Standard: Device and media controls
§ 164.310(d)(1)§ 164.310(d)(1)
§ 164.310(d)(2)Implementation specifications:
§ 164.310(d)(2)(i)Disposal (Required)
§ 164.310(d)(2)(ii)Media re-use (Required)
§ 164.310(d)(2)(iii)Accountability (Addressable)
§ 164.310(d)(2)(iv)Data backup and storage (Addressable)
§ 164.312 — Technical Safeguards (18 requirements)
§ 164.312Technical safeguards
§ 164.312(a)Standard: Access control
§ 164.312(a)(1)§ 164.312(a)(1)
§ 164.312(a)(2)Implementation specifications:
§ 164.312(a)(2)(i)Unique user identification (Required)
§ 164.312(a)(2)(ii)Emergency access procedure (Required)
§ 164.312(a)(2)(iii)Automatic logoff (Addressable)
§ 164.312(a)(2)(iv)Encryption and decryption (Addressable)
§ 164.312(b)Standard: Audit controls
§ 164.312(c)Standard: Integrity
§ 164.312(c)(1)§ 164.312(c)(1)
§ 164.312(c)(2)Implementation specification: Mechanism to authenticate electronic protected health information (Addressable)
§ 164.312(d)Standard: Person or entity authentication
§ 164.312(e)Standard: Transmission security
§ 164.312(e)(1)§ 164.312(e)(1)
§ 164.312(e)(2)Implementation specifications:
§ 164.312(e)(2)(i)Integrity controls (Addressable)
§ 164.312(e)(2)(ii)Encryption (Addressable)
§ 164.314 — Organizational Requirements (17 requirements)
§ 164.314Organizational requirements
§ 164.314(a)§ 164.314(a)
§ 164.314(a)(1)Standard: Business associate contracts or other arrangements
§ 164.314(a)(2)Implementation specifications (Required)
§ 164.314(a)(2)(i)Business associate contracts
§ 164.314(a)(2)(i)(A)§ 164.314(a)(2)(i)(A)
§ 164.314(a)(2)(i)(B)§ 164.314(a)(2)(i)(B)
§ 164.314(a)(2)(i)(C)§ 164.314(a)(2)(i)(C)
§ 164.314(a)(2)(ii)Other arrangements
§ 164.314(a)(2)(iii)Business associate contracts with subcontractors
§ 164.314(b)§ 164.314(b)
§ 164.314(b)(1)Standard: Requirements for group health plans
§ 164.314(b)(2)Implementation specifications (Required)
§ 164.314(b)(2)(i)§ 164.314(b)(2)(i)
§ 164.314(b)(2)(ii)§ 164.314(b)(2)(ii)
§ 164.314(b)(2)(iii)§ 164.314(b)(2)(iii)
§ 164.314(b)(2)(iv)§ 164.314(b)(2)(iv)
§ 164.316 — Policies and Procedures (10 requirements)
§ 164.316Policies and procedures and documentation requirements
§ 164.316(a)Standard: Policies and procedures
§ 164.316(b)§ 164.316(b)
§ 164.316(b)(1)§ 164.316(b)(1)
§ 164.316(b)(1)(i)Standard: Documentation
§ 164.316(b)(1)(ii)§ 164.316(b)(1)(ii)
§ 164.316(b)(2)Implementation specifications:
§ 164.316(b)(2)(i)Time limit (Required)
§ 164.316(b)(2)(ii)Availability (Required)
§ 164.316(b)(2)(iii)Updates (Required)