Final
Issued by: Office for Civil Rights (OCR)
The Security Rule
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
View the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.
Security Rule History
February 20, 2003 – Security Standards – Final Rule - PDF
August 12, 1998 – Security and Electronic Signature Standards - Proposed Rule - PDF
August 3, 2009 – View the Delegation of Authority Press Release
August 4, 2009 – Federal Register notice of the Delegation of Authority to OCR (74 FR 38630) - PDF
HHS Security Risk Assessment Tool
The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment Tool. The tool’s features make it useful in assisting small and medium-sized health care practices and business associates as they perform a risk assessment.
HHS Security Risk Assessment Tool
NIST HIPAA Security Rule Toolkit
The NIST HIPAA Security Toolkit Application is a self-assessment survey intended to help organizations better understand the requirements of the HIPAA Security Rule (HSR), implement those requirements, and assess those implementations in their operational environment. A comprehensive user guide and instructions for using the application are available along with the HSR application.
Risk Analysis Guidance
- Read the Guidance on Risk Analysis requirements under the Security Rule.
- Safeguarding Health Information: Building Assurance Through HIPAA Security
- View the presentations from the OCR and NIST HIPAA Security Rule Conference held:
Additional Security Rule Guidance
See the Security Rule Guidance page for additional guidance.
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.