Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. Security Rule
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

Security Rule

Why is the HIPAA Security Rule needed and what is the purpose of the security standards?

Read the full answer

Is the use of encryption mandatory in the Security Rule?

Read the full answer

What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?

Read the full answer

Are we required to “certify” our organization’s compliance with the standards of the Security Rule?

Read the full answer

Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-PHI)?

Read the full answer

Is the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) suspended during a national or public health emergency?

Read the full answer

Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied?

Read the full answer

How can a small provider implement the standards in Security Rule?

Read the full answer

How will we know if our organization and our systems are compliant with the Security Rule’s requirements?

Read the full answer

Does the Security Rule require the use of an electronic or digital signature?

Read the full answer

Do the standards of the Security Rule require use of specific technologies?

Read the full answer

What does the Security Rule mean by physical safeguards?

Read the full answer

What is the difference between Risk Analysis and Risk Management in the Security Rule?

Read the full answer

Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?

Read the full answer

Are covered entities required to use the National Institute of Standards and Technology (NIST) guidance documents referred to in the preamble to the final Security Rule (68 Fed. Reg. 8334 (February 20, 2003))?

Read the full answer

Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of details is required?

Read the full answer

Does the Security Rule allow you to network computers? In other words, are covered entities allowed to connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly?

Read the full answer

Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?

Read the full answer

Who enforces the health information privacy and security standards established under the Health Insurance Portability and Accountability Act (HIPAA)?

Read the full answer

What is the difference between addressable and required implementation specifications in the Security Rule?

Read the full answer

What is encryption?

Read the full answer

What are some examples of threats that covered entities should address when conducting their risk analysis in order to comply with the Security Rule?

Read the full answer

No, unless the disclosure is otherwise permitted under the HIPAA Privacy Rule, particularly given that cyber threat indicators do not generally include PHI.

Read the full answer

First, a business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule. See 45 CFR § 164.502(a)(3).

Read the full answer
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy