compliance governance

Implementing HIPAA Security Rule Safeguards

Implement the HIPAA Security Rule (45 CFR Part 164 Subpart C) to protect electronic protected health information (ePHI): conduct the required risk analysis, deploy the administrative, physical, and technical safeguards, handle required vs addressable implementation specifications, execute Business Associate Agreements, and stand up breach-notification readiness. Use when an organization is a HIPAA covered entity or business associate, when protecting ePHI, when preparing for an OCR audit or responding to a breach, when performing a HIPAA Security Risk Analysis, when drafting or reviewing a BAA, or when mapping security controls to the §164.308/310/312/314/316 safeguards. Notes the 2025 NPRM proposed changes (not yet final). Keywords: HIPAA, HIPAA Security Rule, ePHI, PHI, 45 CFR 164, risk analysis, administrative safeguards, physical safeguards, technical safeguards, addressable, required, Business Associate Agreement, BAA, OCR, breach notification, HITECH, covered entity, business associate.

45-cfr-164baabreach-notificationcomplianceephigovernancehipaahipaa-security-rule
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When an organization is a covered entity (health plan, clearinghouse, or provider transmitting electronic transactions) or a business associate handling ePHI on their behalf.
  • When standing up or maturing controls to protect electronic protected health information.
  • When performing the mandatory HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) — the single most-cited gap in OCR enforcement.
  • When preparing for an OCR audit/investigation or responding to a suspected breach.
  • When drafting, reviewing, or remediating a Business Associate Agreement (BAA).
  • When mapping existing security controls to the HIPAA safeguard standards and implementation specifications.

Scope note: this skill covers the Security Rule (ePHI). The Privacy Rule (uses/disclosures of all PHI) and the Breach Notification Rule are related but distinct; this skill touches breach readiness and BAAs where they intersect security.

Prerequisites

  • A clear determination of the organization's role (covered entity vs business associate) and where ePHI lives, flows, and is stored (an ePHI data map).
  • An asset inventory of systems that create, receive, maintain, or transmit ePHI.
  • Knowledge of the current rule's structure (45 CFR §§164.302–318) and the required vs addressable distinction.
  • Awareness that a 2025 NPRM proposes significant changes (see Workflow step 7 and references/standards.md) — track but do not assume them as in force.

Workflow

1. Conduct the Security Risk Analysis (§164.308(a)(1)(ii)(A))

This is required and foundational. Inventory ePHI and systems, identify threats and vulnerabilities, assess current controls, determine likelihood and impact, and assign risk levels. (Pair with the NIST 800-30 methodology and HHS's SRA Tool.) Output is a documented, dated risk analysis — the artifact OCR asks for first.

2. Implement Administrative Safeguards (§164.308)

The largest section. Includes the Security Management Process (risk analysis, risk management, sanction policy, information-system activity review), assigned security responsibility (a named Security Official), workforce security, information access management, security awareness and training, security incident procedures, contingency planning (data backup, disaster recovery, emergency-mode operation), evaluation, and BAAs with business associates.

3. Implement Physical Safeguards (§164.310)

Facility access controls, workstation use and workstation security, and device and media controls (disposal, media re-use, accountability, data backup and storage).

4. Implement Technical Safeguards (§164.312)

Access control (unique user ID, emergency access, automatic logoff, encryption/decryption), audit controls, integrity (mechanisms to authenticate ePHI), person/entity authentication, and transmission security (integrity controls + encryption).

5. Resolve "Required" vs "Addressable" specifications

Under the current rule, each implementation specification is Required (must implement) or Addressable (assess whether reasonable and appropriate; if so implement, if not document why and implement an equivalent alternative). Addressable does not mean optional — it means make and document a risk-based decision.

6. Execute Business Associate Agreements (§164.314 / §164.308(b))

Every business associate that touches ePHI needs a BAA binding it to safeguard ePHI, report incidents, and flow requirements to subcontractors. Maintain the BAA inventory.

7. Track the 2025 NPRM proposed changes (NOT yet final)

HHS OCR published an NPRM (Jan 6, 2025) proposing to remove the required/addressable distinction (make nearly all specifications required), and to mandate MFA, encryption of ePHI at rest and in transit, asset inventory and network maps, vulnerability scans every 6 months, annual penetration testing, 72-hour restoration of certain systems/data, and annual risk-analysis updates. These are proposals — the current rule remains in force until a final rule is published and effective. Plan toward them, but comply with what is current.

8. Stand up breach-notification readiness (45 CFR §§164.400–414)

Define how you detect, assess (the four-factor risk assessment), and report breaches of unsecured PHI: to individuals and HHS (and media for breaches affecting 500+ in a state/jurisdiction), within the required timelines. Encryption to NIST standards renders PHI "secured" and is a safe harbor from breach notification.

9. Document everything (§164.316)

Maintain policies, procedures, and records of actions/decisions in writing, retain for six years, review periodically, and update in response to environmental or operational change.

Key Concepts

Concept Definition
ePHI Electronic protected health information — the Security Rule's scope.
Covered entity Health plan, clearinghouse, or provider doing electronic transactions.
Business associate A vendor that handles ePHI for a covered entity; bound by a BAA.
Risk analysis Required, documented assessment of risks to ePHI (§164.308(a)(1)(ii)(A)).
Required vs addressable Must-implement vs risk-based-decision implementation specifications.
Administrative / Physical / Technical safeguards §164.308 / §164.310 / §164.312.
BAA Business Associate Agreement — contractually binds vendors to safeguard ePHI.
Breach (unsecured PHI) Triggers notification under §§164.400–414; encryption is a safe harbor.
OCR HHS Office for Civil Rights — enforces HIPAA.
Six-year retention Documentation retention requirement (§164.316).

Tools & Systems

  • 45 CFR Part 164 Subpart C — the Security Rule text (and Subpart D, Breach Notification).
  • HHS Security Risk Assessment (SRA) Tool — free guided risk analysis.
  • NIST SP 800-66 Rev 2 — implementing the HIPAA Security Rule (NIST guidance, maps to 800-53).
  • NIST SP 800-30 — risk-assessment methodology to ground the SRA.
  • GRC / compliance platforms — to manage policies, the BAA inventory, and evidence.
  • Encryption / MFA / SIEM / audit-logging tooling — to satisfy technical safeguards and the proposed mandates.

Common Scenarios

  • OCR investigation after a breach. First request is almost always the current, dated risk analysis and the risk-management plan — have them ready.
  • New SaaS handling ePHI. Sign a BAA before any ePHI flows; confirm the vendor's safeguards.
  • Addressable spec you won't implement as written. Document the risk-based rationale and the equivalent alternative you implemented instead.
  • Preparing for the proposed rule. Pre-position MFA, at-rest/in-transit encryption, asset inventory, scanning, and pen-testing so a final rule is a small step, not a scramble.
  • Lost/stolen device. If ePHI was encrypted to NIST standards, the safe harbor applies; if not, run the four-factor breach assessment and notify as required.

Output Format

Produce a HIPAA Security Rule Gap Assessment using assets/template.md, containing:

  1. Role & ePHI scope — covered entity vs BA; ePHI data map and systems.
  2. Risk analysis summary — top risks to ePHI with likelihood/impact (feeds risk management).
  3. Safeguard status — Administrative / Physical / Technical, each specification marked Implemented / Partial / Gap with required-vs-addressable noted.
  4. BAA inventory — business associates and BAA status.
  5. Breach-notification readiness — detection, four-factor assessment, notification workflow.
  6. 2025 NPRM gap view — readiness against the proposed mandates (clearly labeled proposed).
  7. Remediation plan — prioritized, with owners and dates; required specs and risk-analysis gaps first.

Use scripts/process.py to score a safeguard-status JSON across the §164.308/310/312 standards, weight required gaps above addressable ones, and emit the gap table plus a remediation-priority list.

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

standards.md5.5 KB

HIPAA Security Rule — Standards & Reference

Primary regulation

HIPAA Security Rule — 45 CFR Part 164, Subpart C

Rule structure (key sections)

Section Title
§164.302 Applicability
§164.304 Definitions
§164.306 Security standards: general rules (flexibility, scalability)
§164.308 Administrative safeguards
§164.310 Physical safeguards
§164.312 Technical safeguards
§164.314 Organizational requirements (BAAs, group health plans)
§164.316 Policies, procedures, and documentation (6-year retention)

Breach Notification Rule: 45 CFR §§164.400–414 (Subpart D).

Administrative safeguards (§164.308) — standards

  • Security Management Process — Risk Analysis (R), Risk Management (R), Sanction Policy (R), Information System Activity Review (R)
  • Assigned Security Responsibility (named Security Official)
  • Workforce Security (authorization/supervision, clearance, termination — Addressable)
  • Information Access Management (isolating clearinghouse functions (R); access authorization/establishment/modification — Addressable)
  • Security Awareness and Training (reminders, malware protection, log-in monitoring, password management — Addressable)
  • Security Incident Procedures — Response and Reporting (R)
  • Contingency Plan — Data Backup Plan (R), Disaster Recovery Plan (R), Emergency Mode Operation Plan (R), Testing/Revision (A), Applications/Data Criticality Analysis (A)
  • Evaluation (periodic)
  • Business Associate Contracts (§164.308(b))

Physical safeguards (§164.310) — standards

  • Facility Access Controls (contingency operations, facility security plan, access control/validation, maintenance records — all Addressable)
  • Workstation Use (R)
  • Workstation Security (R)
  • Device and Media Controls — Disposal (R), Media Re-use (R), Accountability (A), Data Backup and Storage (A)

Technical safeguards (§164.312) — standards

  • Access Control — Unique User Identification (R), Emergency Access Procedure (R), Automatic Logoff (A), Encryption and Decryption (A)
  • Audit Controls (R)
  • Integrity — Mechanism to Authenticate ePHI (A)
  • Person or Entity Authentication (R)
  • Transmission Security — Integrity Controls (A), Encryption (A)

(R) = Required, (A) = Addressable, under the current rule.

Required vs Addressable

  • Required: must be implemented as specified.
  • Addressable: assess whether the specification is reasonable and appropriate; if yes, implement; if no, document why and implement an equivalent alternative measure if reasonable. Addressable is not optional.

Breach Notification (45 CFR §§164.400–414)

  • Applies to breaches of unsecured PHI.
  • Four-factor risk assessment to determine whether a breach occurred (nature/extent of PHI, who used/received it, whether it was actually acquired/viewed, mitigation).
  • Notify individuals without unreasonable delay and within 60 days; notify HHS (annually for <500; without unreasonable delay and within 60 days for 500+); notify media for breaches affecting 500+ residents of a state/jurisdiction.
  • Safe harbor: PHI encrypted to HHS/NIST-specified standards is "secured" and not subject to breach notification.

2025 NPRM — PROPOSED changes (NOT yet final)

  • Citation: 90 FR 800, RIN 0945-AA22, published January 6, 2025; comment period closed March 7, 2025.
  • Status: Proposed only. The current Security Rule remains in force until a final rule is published and becomes effective. Track at https://www.federalregister.gov.
  • Notable proposals:
    • Remove the required/addressable distinction — make (nearly) all implementation specifications required.
    • Mandatory multi-factor authentication.
    • Mandatory encryption of ePHI at rest and in transit.
    • Asset inventory and network maps, updated regularly.
    • Vulnerability scans at least every 6 months and penetration testing at least annually.
    • 72-hour restoration of certain systems/data after an incident.
    • Annual risk-analysis updates and written documentation of compliance reviews.
  • Typical effective/compliance timing if finalized: effective ~60 days after publication; compliance ~180 days after effective (subject to the final rule).

Supporting NIST guidance

Document Role
NIST SP 800-66 Rev 2 (2024) Implementing the HIPAA Security Rule; maps safeguards to SP 800-53 controls.
NIST SP 800-30 Rev 1 Risk-assessment methodology underpinning the required risk analysis.
HHS SRA Tool Free guided Security Risk Assessment for smaller organizations.

NIST CSF 2.0 alignment

CSF 2.0 ID Relevance
GV.OC-03 Legal/regulatory (HIPAA) requirements understood.
GV.RM-01 Risk-management objectives established.
ID.RA-01 / ID.RA-05 Vulnerabilities identified; risk informs prioritization (the risk analysis).
PR.DS-01 Data-at-rest protection (encryption of ePHI).
PR.AA-01 Identity/authentication (unique IDs, MFA).
DE.CM-01 Monitoring (audit controls, activity review).

Scripts 1

process.py7.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
HIPAA Security Rule safeguard gap-assessment scorer.

Scores a safeguard-status inventory across the Administrative (164.308),
Physical (164.310), and Technical (164.312) safeguards. Required gaps are
weighted above addressable gaps, and any gap in the Risk Analysis or Risk
Management specifications is escalated (these are the most-cited OCR findings).
Emits a gap table, a weighted readiness score, and a prioritized remediation list.

Input JSON shape:
{
  "org": {"name": "Northstar Clinic", "role": "Covered Entity"},
  "safeguards": [
    {
      "id": "164.308(a)(1)(ii)(A)", "section": "308",
      "name": "Risk Analysis", "requirement": "required",
      "status": "gap"
    },
    {
      "id": "164.312(a)(2)(iv)", "section": "312",
      "name": "Encryption and Decryption", "requirement": "addressable",
      "status": "partial",
      "alternative_documented": false
    }
  ]
}

requirement: required | addressable
status: implemented | partial | gap

Usage:
  python process.py --input safeguards.json [--output gap.md]
  python process.py --input safeguards.json --fail-on-required-gap
"""

import argparse
import json
import sys

SECTION_NAMES = {
    "308": "Administrative (§164.308)",
    "310": "Physical (§164.310)",
    "312": "Technical (§164.312)",
}
VALID_REQ = {"required", "addressable"}
VALID_STATUS = {"implemented", "partial", "gap"}

# status -> credit fraction toward "implemented"
CREDIT = {"implemented": 1.0, "partial": 0.5, "gap": 0.0}
# weighting: required safeguards count more toward the score
WEIGHT = {"required": 2, "addressable": 1}

# Specifications whose absence OCR cites most often -> escalate
HIGH_PRIORITY_KEYS = ("risk analysis", "risk management")


def score(data):
    sgs = data.get("safeguards", [])
    if not sgs:
        raise ValueError("safeguards list is required")

    total_weight = 0.0
    earned_weight = 0.0
    required_gaps = []
    addressable_gaps = []
    escalated = []
    by_section = {}
    rows = []

    for s in sgs:
        sid = s.get("id", "?")
        req = s.get("requirement")
        status = s.get("status")
        if req not in VALID_REQ:
            raise ValueError(f"{sid}: requirement '{req}' invalid (required|addressable)")
        if status not in VALID_STATUS:
            raise ValueError(f"{sid}: status '{status}' invalid (implemented|partial|gap)")

        section = str(s.get("section", "")).replace("164.", "").strip()
        sec_rec = by_section.setdefault(section, {"implemented": 0, "partial": 0, "gap": 0})
        sec_rec[status] += 1

        w = WEIGHT[req]
        total_weight += w
        earned_weight += w * CREDIT[status]

        name = s.get("name", "")
        is_high = any(k in name.lower() for k in HIGH_PRIORITY_KEYS)

        # an addressable item with a documented equivalent alternative is acceptable
        addressable_ok = (
            req == "addressable"
            and status != "implemented"
            and s.get("alternative_documented") is True
        )

        if status in ("gap", "partial") and not addressable_ok:
            if req == "required":
                required_gaps.append(s)
            else:
                addressable_gaps.append(s)
            if is_high:
                escalated.append(s)

        rows.append((sid, section, name, req, status, s.get("alternative_documented", None), is_high))

    readiness = (100.0 * earned_weight / total_weight) if total_weight else 0.0
    return {
        "readiness": readiness,
        "required_gaps": required_gaps,
        "addressable_gaps": addressable_gaps,
        "escalated": escalated,
        "by_section": by_section,
        "rows": rows,
    }


def render(data, res):
    org = data.get("org", {})
    lines = []
    lines.append(f"# HIPAA Security Rule Gap Assessment - {org.get('name','Organization')}")
    lines.append("")
    if org.get("role"):
        lines.append(f"- **Role:** {org['role']}")
    lines.append(f"- **Weighted readiness:** **{res['readiness']:.0f}%** "
                 "(required specifications weighted 2x addressable)")
    lines.append(f"- **Required gaps:** {len(res['required_gaps'])} | "
                 f"Addressable gaps (no documented alternative): {len(res['addressable_gaps'])}")
    lines.append("")

    if res["escalated"]:
        lines.append("> **OCR-priority gap detected:** Risk Analysis / Risk Management is "
                     "incomplete. This is the most-cited HIPAA finding - remediate first.")
        lines.append("")

    # status by section
    lines.append("## Status by safeguard section")
    lines.append("")
    lines.append("| Section | Implemented | Partial | Gap |")
    lines.append("|---|---|---|---|")
    for sec in sorted(res["by_section"]):
        r = res["by_section"][sec]
        label = SECTION_NAMES.get(sec, sec)
        lines.append(f"| {label} | {r['implemented']} | {r['partial']} | {r['gap']} |")
    lines.append("")

    # full table
    lines.append("## Safeguard detail")
    lines.append("")
    lines.append("| Specification | Section | Requirement | Status | Alt. documented |")
    lines.append("|---|---|---|---|---|")
    for sid, sec, name, req, status, alt, _ in res["rows"]:
        altdisp = "-" if alt is None else ("yes" if alt else "no")
        secdisp = SECTION_NAMES.get(sec, sec)
        lines.append(f"| {sid} {name} | {secdisp} | {req} | {status} | {altdisp} |")
    lines.append("")

    # remediation priority
    lines.append("## Remediation priority")
    lines.append("")
    order = []
    order += [(s, "ESCALATED (Risk Analysis/Mgmt)") for s in res["escalated"]]
    order += [(s, "Required gap") for s in res["required_gaps"] if s not in res["escalated"]]
    order += [(s, "Addressable - implement or document alternative") for s in res["addressable_gaps"]]
    if not order:
        lines.append("No outstanding gaps. Maintain documentation and re-evaluate on change.")
    else:
        seen = set()
        i = 1
        for s, why in order:
            key = s.get("id")
            if key in seen:
                continue
            seen.add(key)
            lines.append(f"{i}. **{s.get('id')}** {s.get('name','')} - {why} "
                         f"(currently {s.get('status')}).")
            i += 1

    return "\n".join(lines)


def main():
    ap = argparse.ArgumentParser(description="HIPAA Security Rule safeguard gap-assessment scorer")
    ap.add_argument("--input", "-i", required=True, help="Path to safeguard-status JSON")
    ap.add_argument("--output", "-o", help="Write Markdown gap assessment to this path")
    ap.add_argument("--fail-on-required-gap", action="store_true",
                    help="Exit non-zero if any required specification is partial/gap")
    args = ap.parse_args()

    try:
        with open(args.input) as f:
            data = json.load(f)
    except (OSError, json.JSONDecodeError) as e:
        print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
        return 2

    try:
        res = score(data)
        md = render(data, res)
    except ValueError as e:
        print(f"ERROR: {e}", file=sys.stderr)
        return 2

    if args.output:
        with open(args.output, "w") as f:
            f.write(md + "\n")
        print(f"Gap assessment written to {args.output}", file=sys.stderr)
    else:
        print(md)

    print(f"Readiness {res['readiness']:.0f}%; required gaps {len(res['required_gaps'])}; "
          f"escalated {len(res['escalated'])}.", file=sys.stderr)

    if args.fail_on_required_gap and res["required_gaps"]:
        ids = ", ".join(s.get("id", "?") for s in res["required_gaps"])
        print(f"FAIL: {len(res['required_gaps'])} required specification gap(s): {ids}", file=sys.stderr)
        return 1
    return 0


if __name__ == "__main__":
    sys.exit(main())

Assets 1

template.mdtext/markdown · 4.0 KB
Keep exploring