The Security Rule

The HIPAA Security Rule establishes national standards to protect individuals' electronic protected health information that is created, received, used, or maintained by a covered entity or its business associate. The Security Rule requires implementation of appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.

The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

View the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.

Security Rule History

HHS Security Risk Assessment Tool

The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a Security Risk Assessment Tool for regulated entities. The tool's features make it useful in assisting small and medium-sized health care practices and business associates as they perform a risk assessment.

OCR and NIST HIPAA Security Rule Conference

Safeguarding Health Information: Building Assurance Through HIPAA Security

View the presentations from the OCR and NIST HIPAA Security Rule Conference held October 23-24, 2024.

Security Rule Guidance

See the Security Rule Guidance and Cyber Security Guidance webpages for guidance

The Security Rule

Security Rule History

January 6, 2025

January 25, 2013

July 14, 2010

August 4, 2009

February 20, 2003

August 12, 1998

HHS Security Risk Assessment Tool

OCR and NIST HIPAA Security Rule Conference

Security Rule Guidance

HHS Email updates