HIPAA Cybersecurity Requirements: A Complete Guide for Covered Entities

After working with many healthcare organizations on their HIPAA (Health Insurance Portability and Accountability Act) compliance, once this is consistent: the gap between what the Security Rule requires and what most covered entities actually have documented is wider than leadership realizes. Healthcare remains one of the sectors most heavily targeted by cyberattacks, due to its highly sensitive data and the critical nature of its operations. Since 2021, more than 700 healthcare data breaches affecting 500 or more individuals have been reported to the U.S. Department of Health and Human Services (HHS) annually. And that pace shows no signs of slowing, reflecting external threat actors and persistent internal gaps that compliance programs are designed to close.

What’s more, the cost of non-compliance with HIPAA scales accordingly. The HHS Office for Civil Rights (OCR) penalties have reached seven figures, following a core theme where organizations treat HIPAA compliance, their risk analysis, and implementation of safeguards as one-time projects as opposed to an ongoing data privacy posture to maintain.

In this article, we explore HIPAA cybersecurity requirements, what the Security Rule stipulates, how your business can meet its standards, and how to better protect against data breaches.

The Three Safeguards Every Covered Entity Must Have in Place

The HIPAA Security Rule organizes cybersecurity requirements into three main categories: administrative safeguards, physical safeguards, and technical safeguards. They each cover a different area of risk to electronic protected health information (ePHI).

Administrative safeguards cover policies that a covered entity has in place to protect ePHI. These include:

• Designated security roles within the business.
• Appropriate workforce authorizations.
• Incident management procedures.
• Security training and awareness.
• Contingency planning.
• Access management rules.
• Risk and vulnerability assessment and management procedures.
• Business contract protections.
• Regular safeguard assessments (both technical and non-technical).

Physical safeguards refer to how a covered entity physically protects data from public interception, such as:

• Workstation and device locks.
• Physical access controls and procedures.
• Data removal and disposal policies.
• Security devices and monitoring.

Technical safeguards refer specifically to technical standards in place to secure ePHI, such as:

• Access controls and associated procedures.
• Integrity policies that protect ePHI against alteration and/or destruction.
• Auditing software and controls.
• Security measures safeguarding ePHI transmission.
• User access and request authentication.

However, there are also distinct exceptions covered by “required” vs. “addressable” implementation specifications:

• Required specifications are non-negotiable and must be followed at all times.
• Addressable specifications are those that can be implemented if reasonable, and if not, to document why, and to use an alternative.

Why Documented Policies Are the Foundation of HIPAA Compliance

To adhere to HIPAA and to ensure your organization is audit-ready, you must prepare the right documentation to establish your written policies.

Compliance requires complete documentation for all written procedures and policies that fall within the Security Rule, and any activities that are contained within that rule.

These documents must be available to personnel responsible for implementing them and should be reviewed if there are any business changes that affect ePHI security.

HIPAA states that documentation must be retained for at least six years after it is created, or since it was last put into effect.

Missing or outdated documentation can lead to penalties applied by the HHS OCR, auditing failures, and even lawsuits. All covered entities must have internal sanction policies that apply to individuals who fail to comply with certain rules.

An entity should always have a designated Security Officer who develops and protects data security policies and risk assessments.

Why Risk Analysis is HIPAA's Most Cited Enforcement Gap

Risk analysis remains a key sticking point in HIPAA non-compliance. The OCR’s enforcement data continues to show that incomplete risk analysis is the top compliance failure among covered entities. Some financial penalties incurred for this compliance gap in 2025 reached as much as seven-figure sums:

“The penalties assessed by OCR in 2025 for failing to do this are significant. The monetary fines announced in conjunction with the resolution agreements ranged from as little as $25,000 at the low end to as much as $3 million for a national medical supplier that did not conduct a “compliant risk analysis” and subsequently suffered a major data breach after a phishing incident.”

(Perry, B.W., and Watson, L.N.)

From our own collective experience, the reasons for failing to run compliant risk analyses vary by organization - some may fail to realize, for example, that it is an ongoing, rolling assessment, not a one-off exercise.

Regardless, a compliance-ready risk analysis, while adaptable, follows these steps:

1. Map out scope to understand where ePHI is created and where it travels. What happens to it, where is it stored, and are there any potential leaks?
2. Undertake a complete sweep of potential risks and vulnerabilities, such as access control failures, hacking weaknesses, lack of employee awareness, or failure to dispose of PHI securely. Consider external risks alongside internal weaknesses.
3. Assess risk probability and impact in each case to assign a priority level. If it is a viable, present threat that would cause serious harm to your patients’ data security, it must be reviewed as a key priority.
4. Develop a comprehensive plan to evaluate and establish security controls to mitigate these risks and regularly test your controls and environment.

Our complete guide to IT risk management explores the points to cover and protect in more detail, and there is specific guidance available from the OCR.

How to Protect ePHI From Unauthorized Access

To protect ePHI from unauthorized access and to control who has the right to read and use it, HIPAA expects entities to ensure all ePHI cannot be accessed by anyone without authorization. Encryption of data at rest and in transit is the primary mechanism for achieving this. Under the current Security Rule encryption carries an “addressable” status, meaning organizations that choose not to implement it must document an equivalent alternative. In practice, that flexibility is rarely legitimately justifiable, and the OCR has consistently treated absent or an inadequate encryption as a compliance failure. Under the proposed 20236 rule updates, the addressable distinction is eliminated entirely, making previously addressable standards hard requirements.

HIPAA expects entities to ensure all ePHI cannot be read, interpreted, or used by anyone–or anything–that does not have explicit permission.

That covers data at rest (e.g., on a static drive or laptop) and in transit (e.g., shared across a network). In the case of the latter, you may use Transport Layer Security (TLS) and/or Secure File Transfer Protocols (SFTP).

Alongside encrypting data, it’s wise to follow a stringent password access control process, such as applying biometric authentication and multi-factor authentication (MFA), and regularly reviewing user permissions.

HIPAA Cybersecurity Requirements: What Happens When a Security Incident Occurs?

Entities must have clear policies and procedures to identify and respond to security incidents and mitigate harm as much as possible, while also documenting what happened, and any steps taken. However, an additional Breach Notification Rule (BNR) also dictates how covered entities should respond and remain compliant.

The BNR stipulates that:

• All affected individuals must be notified via first-class mail (or email, if they've consented to electronic notice) without unreasonable delay and no later than 60 days after the breach is discovered.
• The Secretary of HHS must be notified within 60 days of discovery if the breach affects 500 or more individuals. For breaches affecting fewer than 500, HHS notification is submitted annually, within 60 days of the end of the calendar year in which the breach was discovered.
• If more than 500 residents of a single state or jurisdiction are affected, the entity must also notify prominent media outlets serving that state or jurisdiction within the same 60-day window. This is typically issued as a press release.
• If the entity has insufficient or out-of-date contact information for 10 or more affected individuals, a substitute notice must be posted on the home page of its website for at least 90 days, or placed in major print/broadcast media in the affected area, along with a toll-free number active for at least 90 days. For fewer than 10 unreachable individuals, alternative written notice, telephone, or other means may be used.

A HIPAA-ready incident response plan should include:

• Clear preparation, including the identification of a response team and communication templates.
• Identification and investigation procedures (i.e., to establish whether a threat is legitimate).
• Steps to contain threats and secure systems containing ePHI.
• Removal and remediation steps, including applying additional security measures and sanctions if employees are at fault.
• Complete documentation of the threat and its outcome.

To help support incident response, covered entities can use Security Information and Event Management (SIEM) tools to correlate event logs to identify where threats began. Auditing trails are also important post-incident to prove HIPAA compliance and demonstrate actions taken. It’s also beneficial to establish automatic log-off policies to ensure work sessions are terminated after periods of inactivity (and thus prevent further breaches).

Common entry threats include phishing (confidence tricks and false links that can lead people to give away sensitive information) and ransomware (malicious code that locks down systems and networks in return for a significant amount of money). It’s why phishing protection is now considered a default recommendation.

Why Your Business Associates Are Part of Your Compliance Obligation

One of the most frequently underestimated areas of HIPAA compliance is the covered entity's responsibility for its business associates (vendors, contractors, and service providers) who handle ePHI on your behalf.

HIPAA requires that covered entities have a written Business Associate Agreement (BAA) in place with every business associate before any ePHI is shared. The BAA must establish the permitted and required uses of ePHI, require the business associate to apply appropriate safeguards, obligate breach notification back to the covered entity, and establish conditions for termination if the agreement is violated.

Serving as much more than a compliance checkbox, BAAs are a risk management instrument. Business associates are directly liable for their own HIPAA violations, but covered entities still face scrutiny when a BA breach originates from a failure in due diligence or contract management. From our experience, organizations often have BAAs in place but have never reviewed them against current Security Rule standards or haven't re-evaluated whether a vendor's security posture still justifies access to ePHI.

A practical BA management program includes:

• A complete inventory of all business associates with access to ePHI.
• Executed BAAs reviewed against current Security Rule requirements.
• Periodic vendor security assessments—at a minimum annually, and after any significant changes to a vendor's systems or access scope.
• Clear processes for BA breach notification, including contractual timelines aligned to HIPAA's 60-day rule.
• Defined termination procedures if a BA cannot demonstrate adequate safeguards.

The proposed 2026 Security Rule updates explicitly strengthen BA oversight obligations, including annual verification requirements, underscoring that this is an area of increasing enforcement focus.

Keeping ePHI Available When Systems Fail

HIPAA cybersecurity requirements for contingency planning are frequently overlooked but help entities bounce back from even large-scale breaches and attacks. Planning, however, is not enough - all entities must carefully test their plans in controlled environments before genuine security events take place.

HIPAA requires that the following components make up a cybersecurity contingency plan:

1. A data backup plan.
2. A disaster recovery plan.
3. An emergency mode operation plan.
4. Regular testing and reviews of all contingency plan components.
5. Regular assessment and prioritization of applications and devices using ePHI in the event of a data breach and systems restoration.

These requirements help entities to minimize potential losses and to ensure operations are back up and running as soon as possible. However, it’s also important to define what happens across specific timescales; that plans are broadly understood, and what events lead to contingency plans being activated.

Why Your Staff Are Your Biggest Security Risk

Research shows that human error and phishing remain two of the most prevalent causes of healthcare data breaches, indicating that consistent security training and awareness building are vital across the industry.

HIPAA states that security training and awareness programs must be tailored to all people within an entity, including management. That means anyone who comes into contact with ePHI must undergo regular, rolling training to ensure that everyone who handles it is always up to date with the latest threats and potential weaknesses.

These programs must cover knowledge of how to protect ePHI, what to look out for in phishing emails and calls, and how to effectively set and maintain secure passwords. Employees and managers must also understand how to identify, report, and respond to security breaches, and how to keep in line with specific policies laid out by the organization’s Security Officer.

Training should also reinforce the HIPAA minimum necessary standard that access to ePHI be limited to the information reasonably necessary to accomplish a given task. This principle directly governs access control decisions and role-based permission structures and is frequently overlooked as a workforce training topic even though it underlies some of the most common audit findings.

The Security Officer plays a pivotal role in the development and documentation of training records, which must be retained for at least six years.

How to Prepare for an OCR Audit

Preparing for audits means ensuring that ePHI is safeguarded and that security policies are followed for both external and internal compliance checks. Both cover similar ground, but the latter helps to prepare entities for the former, and to address any key vulnerabilities or failings that can be quickly remedied.

To prepare for an OCR audit, you must ensure that you:

• Have a designated Security Officer.
• Undertake a complete risk analysis.
• Know where and how ePHI is stored, and how it can be accessed.
• Have clear, role-based access controls in place.
• Keep a complete record of business associates who have contracts to access ePHI.
• Use mitigation measures such as enterprise-standard security software.
• Have clear processes in place to report and respond to incidents.
• Comprehensively monitor all devices accessing or storing ePHI.
• Fully explain all policies and processes relating to ePHI security.
• Run rolling security awareness programs for all personnel.
• Have a sanctions program in place to reprimand anyone who breaches HIPAA.
• Have implemented a contingency plan.
• Can fully justify your level of security measures.
• Encrypt all data and demonstrate how you carry this out.
• Log and document all policies, procedures, and security events.

These are the basic points that OCR looks for when auditing, and what you should cover during internal checks. It’s also important to regularly conduct penetration testing to uncover and remediate any hidden weaknesses.

VikingCloud's security testing services, including penetration testing and vulnerability scanning, are designed specifically to meet the evidentiary standard OCR looks for: documented scope, methodology, findings, and remediation tracking.

HIPAA is Changing: What Covered Entities Need to Know for 2026

Given the evolving threat landscape and the healthcare industry remaining a key target for malicious attacks, The HIPAA Security Rule is undergoing its most significant overhaul since 2003. HHS published its Notice of Proposed Rulemaking (NPRM) in January 2025, and the final rule is expected to be published in the Spring of 2026.

The proposed changes are much more substantial than early coverage suggested. The headline mandates Multi-Factor Authentication (MFA), encryption at rest, and periodic vulnerability scanning and pen testing, but these are just the starting point. The full scope includes:

• Elimination of the “required” vs. “addressable” distinction. Nearly all implementation specifications become mandatory. The flexibility to document an alternative to controls like encryption or audit logging is removed.
• MFA enforced across all systems accessing ePHI. There are no exceptions to this requirement.
• Encryption of ePHI at rest and in transit, is now mandatory, not addressable.
• Annual penetration testing and vulnerability scanning at least every six months, and after any major environmental change.
• Technology asset inventory and network map are required, where covered entities must maintain a current, documented inventory of all hardware and software touching ePHI, and a network diagram showing how data flows.
• Network segmentation is explicitly required as a technical safeguard to limit lateral movement in the event of a breach.
• Anti-malware protections are required on all systems that could be affected by malicious software.
• A 24-hour internal notification to the workforce is mandatory following a confirmed security incident, and specific timelines for cross-entity reporting.
• Annual vendor verification of business associates must be completed at least yearly.
• Enhanced backup and recovery requirements, with defined expectations for restoration timelines and data integrity verification are obligatory.

For covered entities, the practical implication is that the era of treating encryption, MFA, and segmentation as optional or “addressable” is over. Organizations that have not yet conducted a gap assessment against the proposed rule's requirements should do so now. The compliance window, once the final rule is published, moves faster than most implementation programs can absorb.

Conclusion

HIPAA compliance is not a one-and-done exercise. It is a rolling consideration, meaning all covered entities must ensure they protect ePHI and ensure teams are up to date with the latest threat vectors across the year.

To better secure your organization in line with changing HIPAA standards, learn more about how VikingCloud can help you manage, analyze, and protect your ePHI with our HIPAA compliance services.

‍