HIPAA Security Rule Safeguards
Are Your HIPAA Security Rule Safeguards Audit-Ready? Use This IT Risk Assessment Matrix to Find Out
HIPAA compliance is not just a policy binder. It is a repeatable security program that proves your organization protects electronic protected health information, knows where risks exist, and documents what was reviewed, who reviewed it, when it was reviewed, and what will be fixed next.
Why Business Leaders and IT Managers Should Care
The HIPAA Security Rule requires covered entities and business associates to protect ePHI through administrative, physical, and technical safeguards. For executives, that means reducing regulatory, operational, financial, and reputational exposure. For IT managers, it means implementing controls that can be tested, evidenced, assigned, reviewed, and improved over time.
For business owners
See risk clearly. Know whether access, encryption, logging, vendor oversight, contingency planning, and incident response are working across your organization.
Leadership oversightBudget planningAudit readiness
For IT managers
Document defensible controls. Track required and addressable implementation specifications, evidence, responsible owners, audit dates, findings, and remediation status.
Risk analysisEvidence trackingControl ownership
For IT teams
Translate HIPAA into daily work. Use the matrix to validate identity, access, logging, endpoint, network, backup, facility, and vendor safeguards.
MFAAudit logsBackupsEncryption
Practical note: “Addressable” does not mean optional. It means the organization must assess whether the implementation specification is reasonable and appropriate, then implement it, implement an equivalent alternative, or document why it is not reasonable and appropriate.
How to Use This HIPAA Safeguards Matrix
Use this page during internal audits, risk assessments, technical reviews, executive reporting, vendor reviews, and remediation planning.
1
Identify ePHI systems
List EHR, billing, email, cloud storage, endpoints, servers, network devices, backups, vendors, and remote access systems.
2
Document safeguard status
Record whether each safeguard is implemented, in progress, not started, needs review, or has a gap.
3
Capture audit evidence
Add the reviewer, last audit date, evidence location, findings, risk rating, and next review date.
4
Assign remediation
Prioritize gaps by business risk and assign corrective action owners, target dates, and executive notes.
HIPAA Security Rule Safeguards Assessment Matrix
Use this editable HTML table as a spreadsheet-style working document. IT managers can update status, risk rating, asset scope, audit owner, last audit date, evidence, findings, remediation plan, and next review date directly in the table before copying it into an internal risk register or audit workbook.
| # | Safeguard Category | HIPAA Reference | Standard / Implementation Specification | Required / Addressable | Plain-English Control Objective | Technical Terms to Validate | Systems / Assets in Scope | Current Status | Risk Rating | Evidence / Artifact Needed | Control Owner | Auditor / Reviewer | Last Audit Date | Findings / Gap Notes | Remediation Plan | Target Date | Next Review Date | Executive Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Administrative | 45 CFR §164.308(a)(1)(ii)(A) | Risk Analysis | Required | Identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. | ePHI inventory, threat modeling, vulnerability assessment, likelihood, impact, residual risk, risk register | EHR, billing, cloud storage, email, endpoints, network, backups | Needs Review | High | Risk assessment report, asset inventory, vulnerability scan, data flow diagram | Security Officer / IT Manager | Update risk analysis and document risk decisions. | Board or ownership should review major ePHI risks. | |||||
| 2 | Administrative | 45 CFR §164.308(a)(1)(ii)(B) | Risk Management | Required | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. | risk treatment plan, compensating controls, mitigation, acceptance, transfer, avoidance | All systems handling ePHI | In Progress | High | Remediation tracker, risk treatment approvals, project tickets | IT Manager | Prioritize high-risk safeguards first. | Leadership should approve risk exceptions. | |||||
| 3 | Administrative | 45 CFR §164.308(a)(1)(ii)(C) | Sanction Policy | Required | Apply appropriate sanctions against workforce members who fail to comply with security policies. | disciplinary process, workforce accountability, acceptable use, policy acknowledgment | Workforce, contractors, privileged users | Needs Review | Medium | HR policy, signed acknowledgments, incident records | HR / Compliance Officer | Align sanctions with HR procedures. | ||||||
| 4 | Administrative | 45 CFR §164.308(a)(1)(ii)(D) | Information System Activity Review | Required | Regularly review records of system activity, including audit logs, access reports, and security incident tracking reports. | SIEM, audit trail, log retention, anomaly detection, access report, security event, alert triage | EHR, Microsoft 365, VPN, firewalls, servers, databases | Gap Identified | High | Log review records, SIEM reports, access review sign-offs | Security Analyst / IT Manager | Define frequency and ownership for log reviews. | Create monthly log review workflow. | Executives should know whether suspicious activity is reviewed. | ||||
| 5 | Administrative | 45 CFR §164.308(a)(2) | Assigned Security Responsibility | Standard | Designate a security official responsible for developing and implementing HIPAA Security Rule policies and procedures. | security officer, governance, RACI, accountability, compliance ownership | Organization-wide | Needs Review | Medium | Appointment memo, job description, governance chart | Business Owner / Executive Sponsor | Formally assign security responsibility. | A named owner improves audit readiness. | |||||
| 6 | Administrative | 45 CFR §164.308(a)(3)(ii)(A) | Authorization and/or Supervision | Addressable | Authorize and supervise workforce members who work with ePHI or locations where ePHI may be accessed. | least privilege, manager approval, workforce supervision, access request workflow | EHR, shared drives, cloud apps, clinics, remote access | In Progress | Medium | Access request tickets, manager approvals, onboarding checklist | Department Manager / IT | Standardize access approvals. | ||||||
| 7 | Administrative | 45 CFR §164.308(a)(3)(ii)(B) | Workforce Clearance Procedure | Addressable | Determine that workforce access to ePHI is appropriate before granting access. | role-based access control, clearance, job function, access provisioning | User accounts and privileged access | Needs Review | Medium | Role matrix, access approval evidence, background check policy if applicable | HR / IT | Map roles to minimum necessary access. | ||||||
| 8 | Administrative | 45 CFR §164.308(a)(3)(ii)(C) | Termination Procedures | Addressable | Terminate access to ePHI when employment or engagement ends. | offboarding, account disablement, token revocation, shared account review, device return | Identity provider, EHR, email, VPN, mobile devices | Needs Review | High | Offboarding checklist, disabled account evidence, device return records | HR / IT | Test recent terminations for timely access removal. | Delayed termination creates avoidable breach risk. | |||||
| 9 | Administrative | 45 CFR §164.308(a)(4)(ii)(A) | Isolating Health Care Clearinghouse Functions | Required, if applicable | If a clearinghouse is part of a larger organization, protect ePHI from unauthorized access by the larger organization. | network segmentation, logical separation, data segregation, access boundary | Clearinghouse systems, shared infrastructure | Not Applicable | Low | Applicability analysis, network diagram, access control list | Compliance Officer / IT | Document applicability. | ||||||
| 10 | Administrative | 45 CFR §164.308(a)(4)(ii)(B) | Access Authorization | Addressable | Implement policies and procedures for granting access to ePHI. | RBAC, access authorization, privileged access, approval workflow, minimum necessary | EHR, billing, file shares, databases | In Progress | High | Access control policy, role matrix, approval tickets | IT Manager | Review who can approve sensitive access. | ||||||
| 11 | Administrative | 45 CFR §164.308(a)(4)(ii)(C) | Access Establishment and Modification | Addressable | Establish, document, review, and modify user access rights to ePHI systems. | joiner-mover-leaver, access recertification, entitlement review, privilege creep | Identity provider, EHR, cloud applications | Gap Identified | High | Quarterly access review, change tickets, entitlement export | IT / System Owners | No formal access recertification evidence. | Implement quarterly access review. | Privilege creep is a common audit finding. | ||||
| 12 | Administrative | 45 CFR §164.308(a)(5)(ii)(A) | Security Reminders | Addressable | Provide periodic security updates to workforce members. | security awareness, phishing alerts, policy reminders, micro-training | All workforce users | Needs Review | Medium | Training emails, LMS records, security newsletter archive | Security Officer | Schedule monthly security reminders. | ||||||
| 13 | Administrative | 45 CFR §164.308(a)(5)(ii)(B) | Protection from Malicious Software | Addressable | Train users and implement procedures to guard against malicious software. | EDR, anti-malware, phishing, macro control, ransomware, endpoint hardening | Endpoints, servers, email, web filtering | In Progress | High | EDR dashboard, malware alerts, user training records | IT Security | Confirm endpoint coverage and alert response. | Ransomware protection is a business continuity issue. | |||||
| 14 | Administrative | 45 CFR §164.308(a)(5)(ii)(C) | Log-in Monitoring | Addressable | Monitor log-in attempts and report discrepancies. | failed login, impossible travel, brute force, conditional access, MFA fatigue | Identity provider, EHR, VPN, cloud apps | Needs Review | High | Login reports, alert rules, incident tickets | IT Security | Tune alerts for failed and risky logins. | ||||||
| 15 | Administrative | 45 CFR §164.308(a)(5)(ii)(D) | Password Management | Addressable | Create and manage procedures for creating, changing, and safeguarding passwords. | password policy, MFA, password manager, complexity, lockout, credential reuse | Identity provider, EHR, local admin accounts | Needs Review | High | Password policy, MFA enforcement report, privileged account list | IT Manager | Align password and MFA controls with current risk. | MFA reduces credential-based compromise risk. | |||||
| 16 | Administrative | 45 CFR §164.308(a)(6)(ii) | Security Incident Procedures: Response and Reporting | Required | Identify, respond to, mitigate, and document security incidents. | incident response plan, containment, eradication, recovery, lessons learned, breach triage | All ePHI systems and security tools | Needs Review | High | IR plan, incident tickets, tabletop exercise records | Security Officer / IT Manager | Run annual tabletop exercise. | Executives need decision roles during incidents. | |||||
| 17 | Administrative | 45 CFR §164.308(a)(7)(ii)(A) | Data Backup Plan | Required | Create and maintain retrievable exact copies of ePHI. | backup, immutable backup, recovery point objective, recovery time objective, restoration testing | EHR, databases, file shares, cloud storage | In Progress | High | Backup policy, backup logs, restore test evidence | IT Operations | Test backups, not just backup jobs. | Backups support patient care continuity. | |||||
| 18 | Administrative | 45 CFR §164.308(a)(7)(ii)(B) | Disaster Recovery Plan | Required | Restore any loss of data after an emergency or disaster. | DR plan, failover, recovery runbook, alternate site, cloud recovery | Critical ePHI systems | Needs Review | High | DR plan, restoration test, recovery runbook | IT Operations | Validate recovery sequence and dependencies. | ||||||
| 19 | Administrative | 45 CFR §164.308(a)(7)(ii)(C) | Emergency Mode Operation Plan | Required | Enable continuation of critical business processes for protecting ePHI during emergency operations. | business continuity, emergency access, downtime procedures, manual workflows | Clinical systems, communications, authentication, network | Needs Review | High | Emergency operations plan, downtime procedure, contact list | Operations / IT | Test downtime process with department leaders. | This protects both compliance and patient service. | |||||
| 20 | Administrative | 45 CFR §164.308(a)(7)(ii)(D) | Testing and Revision Procedures | Addressable | Test and revise contingency plans. | tabletop exercise, backup restore test, DR test, lessons learned, corrective action | Business continuity and DR procedures | Gap Identified | Medium | Test schedule, test results, updated plan version | IT / Compliance | Plans exist but testing evidence is incomplete. | Schedule annual DR and incident response exercises. | |||||
| 21 | Administrative | 45 CFR §164.308(a)(7)(ii)(E) | Applications and Data Criticality Analysis | Addressable | Assess the relative criticality of specific applications and data in support of contingency planning. | BIA, criticality tier, system dependency, RTO, RPO, data classification | EHR, billing, lab systems, imaging, file shares | Needs Review | Medium | Business impact analysis, application inventory, criticality matrix | Operations / IT | Rank systems by patient care and ePHI impact. | ||||||
| 22 | Administrative | 45 CFR §164.308(a)(8) | Evaluation | Standard | Perform periodic technical and nontechnical evaluations in response to environmental or operational changes. | technical audit, nontechnical evaluation, control assessment, policy review, change trigger | Security program, systems, policies, facilities, vendors | Needs Review | High | HIPAA evaluation report, audit checklist, corrective action plan | Compliance Officer / External Auditor | Schedule recurring HIPAA Security Rule evaluation. | Useful for owners to confirm program maturity. | |||||
| 23 | Physical | 45 CFR §164.310(a)(2)(i) | Facility Access Controls: Contingency Operations | Addressable | Establish procedures that allow facility access during disaster recovery and emergency mode operations. | emergency access, facility continuity, badge access, physical key control | Offices, server rooms, network closets | Needs Review | Medium | Emergency access procedure, keyholder list, access logs | Facilities / IT | Confirm emergency access is controlled and logged. | ||||||
| 24 | Physical | 45 CFR §164.310(a)(2)(ii) | Facility Security Plan | Addressable | Safeguard facilities and equipment from unauthorized physical access, tampering, and theft. | physical security, badge access, cameras, visitor controls, server room locks | Office, clinic, server room, reception, records area | Needs Review | Medium | Facility security plan, access logs, visitor log, camera policy | Facilities Manager | Document physical security zones. | ||||||
| 25 | Physical | 45 CFR §164.310(a)(2)(iii) | Access Control and Validation Procedures | Addressable | Control and validate a person’s access to facilities based on role or function. | badge validation, visitor escort, access revocation, key inventory | Restricted areas, network closets, records rooms | In Progress | Medium | Access list, badge review, visitor sign-in records | Facilities / HR | Review facility access quarterly. | ||||||
| 26 | Physical | 45 CFR §164.310(a)(2)(iv) | Maintenance Records | Addressable | Document repairs and modifications to physical security components. | maintenance log, access hardware, lock changes, camera maintenance | Doors, locks, cameras, alarm systems, server rooms | Needs Review | Low | Maintenance records, vendor work orders, change approvals | Facilities | Centralize facility security maintenance records. | ||||||
| 27 | Physical | 45 CFR §164.310(b) | Workstation Use | Standard | Specify proper functions to be performed, how those functions are performed, and physical attributes of workstations accessing ePHI. | workstation policy, screen positioning, clean desk, approved use, remote work | Desktops, laptops, shared workstations, remote devices | Needs Review | Medium | Workstation use policy, training record, device inventory | IT / Compliance | Update workstation policy for hybrid work. | ||||||
| 28 | Physical | 45 CFR §164.310(c) | Workstation Security | Standard | Implement physical safeguards for workstations that access ePHI. | cable locks, privacy screens, auto-lock, restricted workstation placement | Workstations in clinical and administrative areas | Needs Review | Medium | Walkthrough checklist, auto-lock policy, workstation inventory | IT / Facilities | Perform workstation security walkthrough. | ||||||
| 29 | Physical | 45 CFR §164.310(d)(2)(i) | Device and Media Controls: Disposal | Required | Implement procedures for final disposition of ePHI and hardware or media containing ePHI. | secure disposal, shredding, degaussing, cryptographic erase, certificate of destruction | Hard drives, laptops, mobile devices, backup media | Needs Review | High | Disposal policy, destruction certificates, asset disposal log | IT Asset Manager | Require documented destruction for all retired media. | Uncontrolled disposal can trigger breach exposure. | |||||
| 30 | Physical | 45 CFR §164.310(d)(2)(ii) | Media Re-use | Required | Remove ePHI from electronic media before reuse. | secure wipe, media sanitization, NIST-style purge/clear/destroy, device reassignment | Laptops, USB drives, removable media, servers | Needs Review | High | Sanitization records, imaging logs, device reassignment checklist | IT Operations | Document media sanitization before redeployment. | ||||||
| 31 | Physical | 45 CFR §164.310(d)(2)(iii) | Accountability | Addressable | Maintain a record of hardware and electronic media movement and responsible persons. | asset tracking, chain of custody, device assignment, inventory reconciliation | Laptops, tablets, mobile devices, backup drives | In Progress | Medium | Asset inventory, custody log, mobile device management export | IT Asset Manager | Reconcile device inventory to user list. | ||||||
| 32 | Physical | 45 CFR §164.310(d)(2)(iv) | Data Backup and Storage | Addressable | Create a retrievable exact copy of ePHI before movement of equipment. | pre-move backup, migration backup, data validation, storage encryption | Servers, databases, storage arrays, laptops | Needs Review | Medium | Backup record, migration plan, checksum/validation evidence | IT Operations | Add backup verification to hardware move checklist. | ||||||
| 33 | Technical | 45 CFR §164.312(a)(2)(i) | Access Control: Unique User Identification | Required | Assign a unique name or number for identifying and tracking user identity. | unique ID, identity management, named accounts, shared account elimination | EHR, email, cloud systems, admin tools | Gap Identified | High | User account export, shared account review, identity policy | IT Manager | Shared accounts still exist. | Replace shared accounts with named accounts. | Named accountability is essential for audit trails. | ||||
| 34 | Technical | 45 CFR §164.312(a)(2)(ii) | Access Control: Emergency Access Procedure | Required | Establish procedures for obtaining necessary ePHI during an emergency. | break-glass account, emergency access, privileged access monitoring, audit review | EHR, identity provider, critical systems | Needs Review | High | Emergency access procedure, break-glass logs, approval records | IT / Clinical Operations | Define break-glass access and review after use. | ||||||
| 35 | Technical | 45 CFR §164.312(a)(2)(iii) | Access Control: Automatic Logoff | Addressable | Terminate an electronic session after a predetermined time of inactivity. | session timeout, idle lock, screen lock, inactivity threshold | EHR, workstations, cloud apps, VPN | In Progress | Medium | Configuration screenshots, group policy, application timeout settings | IT Operations | Validate timeout settings by system type. | ||||||
| 36 | Technical | 45 CFR §164.312(a)(2)(iv) | Access Control: Encryption and Decryption | Addressable | Implement a mechanism to encrypt and decrypt ePHI when appropriate. | encryption at rest, key management, full-disk encryption, database encryption, KMS | Laptops, servers, databases, backups, cloud storage | Needs Review | High | Encryption reports, key management policy, device compliance export | IT Security | Document where encryption is used or justify alternative controls. | Encryption decisions should be documented, not assumed. | |||||
| 37 | Technical | 45 CFR §164.312(b) | Audit Controls | Standard | Implement hardware, software, or procedural mechanisms that record and examine activity in systems containing or using ePHI. | audit log, SIEM, log retention, user activity, admin activity, database audit, alerting | EHR, databases, servers, firewalls, identity provider, email | Gap Identified | High | Logging configuration, SIEM dashboards, retention settings, log review evidence | IT Security | Logging is enabled but review evidence is inconsistent. | Define log sources, retention, alerting, and review cadence. | Audit logs are a core evidence source after a suspected incident. | ||||
| 38 | Technical | 45 CFR §164.312(c)(2) | Integrity: Mechanism to Authenticate ePHI | Addressable | Corroborate that ePHI has not been altered or destroyed in an unauthorized manner. | hashing, checksum, digital signature, database integrity, file integrity monitoring | Databases, file storage, backups, interfaces | Needs Review | Medium | Integrity control design, backup validation, database controls | Application Owner / IT | Identify where integrity validation is required. | ||||||
| 39 | Technical | 45 CFR §164.312(d) | Person or Entity Authentication | Standard | Verify that a person or entity seeking access to ePHI is the one claimed. | MFA, SSO, identity proofing, service account, certificate authentication, API authentication | Identity provider, EHR, VPN, APIs, third-party portals | In Progress | High | MFA policy, authentication logs, SSO configuration, service account review | IT Security | Expand MFA to all remote and privileged access. | Authentication failures often become breach root causes. | |||||
| 40 | Technical | 45 CFR §164.312(e)(2)(i) | Transmission Security: Integrity Controls | Addressable | Ensure electronically transmitted ePHI is not improperly modified without detection. | TLS, secure API, message integrity, certificate validation, secure file transfer | Email, APIs, EDI, SFTP, portals, interfaces | Needs Review | High | TLS configuration, API security design, SFTP setup, interface inventory | Network / Application Owner | Map ePHI transmissions and validate secure protocols. | ||||||
| 41 | Technical | 45 CFR §164.312(e)(2)(ii) | Transmission Security: Encryption | Addressable | Encrypt ePHI whenever deemed appropriate during electronic transmission. | TLS 1.2+, encrypted email, VPN, secure messaging, certificate lifecycle, HSTS | Email, remote access, APIs, web portals, file transfers | Needs Review | High | TLS scan, email encryption policy, VPN configuration, certificate inventory | Network Security | Confirm no ePHI is transmitted over insecure channels. | Transmission encryption is highly visible during vendor and client reviews. | |||||
| 42 | Organizational | 45 CFR §164.314(a) | Business Associate Contracts or Other Arrangements | Standard | Obtain satisfactory assurances that business associates will appropriately safeguard ePHI. | BAA, vendor risk management, subcontractor, security questionnaire, due diligence | Cloud providers, billing vendors, MSPs, SaaS, consultants | Needs Review | High | Executed BAAs, vendor inventory, security review records | Compliance / Procurement | Create vendor inventory and BAA status tracker. | Vendor gaps can become business risk quickly. | |||||
| 43 | Organizational | 45 CFR §164.314(b) | Requirements for Group Health Plans | Standard, if applicable | Ensure plan documents provide safeguards for ePHI when group health plan requirements apply. | plan sponsor, plan documents, firewall between employer and plan, access limits | Group health plan administration | Not Applicable | Low | Applicability analysis, plan document review | HR / Legal | Document applicability with counsel or benefits administrator. | ||||||
| 44 | Documentation | 45 CFR §164.316(a) | Policies and Procedures | Standard | Implement reasonable and appropriate policies and procedures to comply with the Security Rule. | policy lifecycle, procedure, standard, exception, version control, approval workflow | Security program documentation | Needs Review | Medium | Policy set, approval records, version history, exception register | Compliance Officer | Update policy set to match actual controls. | Policies should reflect how the business actually operates. | |||||
| 45 | Documentation | 45 CFR §164.316(b) | Documentation | Standard | Maintain required Security Rule documentation, retain it, make it available to responsible persons, and update it as needed. | retention, evidence repository, audit trail, document control, review cadence | Audit evidence, policies, procedures, risk records, vendor records | Needs Review | Medium | Evidence repository, retention schedule, review logs | Compliance Officer / IT Manager | Create a central HIPAA evidence folder by safeguard. | Good evidence reduces audit stress and improves decision-making. |
Technical Terms Business Leaders Should Ask About
You do not need to be a security engineer to lead HIPAA compliance, but you should know which technical terms reveal whether controls are actually operating.
ePHIElectronic protected health information created, received, maintained, or transmitted by covered entities or business associates.
Risk AnalysisA documented process that identifies threats, vulnerabilities, likelihood, impact, and current safeguards affecting ePHI.
Required vs. AddressableRequired specifications must be implemented. Addressable specifications require documented analysis, implementation, equivalent alternative, or documented justification.
Audit ControlsHardware, software, or procedures used to record and examine activity in systems that contain or use ePHI.
Access ControlTechnical controls that limit who can access ePHI and what they can do, including unique user IDs, emergency access, session timeout, and encryption decisions.
Transmission SecurityControls that protect ePHI when it moves across networks, such as TLS, secure portals, VPNs, encrypted email, and secure file transfer.
Integrity ControlsSafeguards that help confirm ePHI has not been altered or destroyed in an unauthorized manner.
Business Associate AgreementA contract or arrangement that requires a vendor or partner handling ePHI to appropriately safeguard that information.
Recommended Internal Links for HIPAA Readiness
Use these pages to support leadership education, risk assessment, technical auditing, compliance consulting, and remediation planning.
Need help turning this matrix into an audit-ready HIPAA security program?
OC Security Audit helps organizations assess HIPAA Security Rule safeguards, document risk, review technical controls, validate evidence, and prioritize remediation for ePHI protection.
Share this post:
Facebook
Twitter
LinkedIn
WhatsApp
