The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement Administrative, Physical, and Technical safeguards to protect electronic PHI. Each safeguard contains standards and implementation specifications classified as either required or addressable.
Understanding Required vs. Addressable
- Required — Must be implemented as specified. There is no flexibility.
- Addressable — The organisation must assess whether the specification is reasonable and appropriate. If so, implement it. If not, document the rationale and implement an equivalent alternative measure, or document why neither is necessary.
Administrative Safeguards (45 CFR 164.308)
Administrative safeguards are the policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. Key standards include:
| Standard | CFR Reference | Type |
|---|---|---|
| Security Management Process | 164.308(a)(1) | Required |
| Assigned Security Responsibility | 164.308(a)(2) | Required |
| Workforce Security | 164.308(a)(3) | Addressable |
| Information Access Management | 164.308(a)(4) | Required / Addressable |
| Security Awareness and Training | 164.308(a)(5) | Addressable |
| Security Incident Procedures | 164.308(a)(6) | Required |
| Contingency Plan | 164.308(a)(7) | Required / Addressable |
| Evaluation | 164.308(a)(8) | Required |
| Business Associate Contracts | 164.308(b)(1) | Required |
Physical Safeguards (45 CFR 164.310)
Physical safeguards protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorised intrusion.
| Standard | CFR Reference | Type |
|---|---|---|
| Facility Access Controls | 164.310(a)(1) | Addressable |
| Workstation Use | 164.310(b) | Required |
| Workstation Security | 164.310(c) | Required |
| Device and Media Controls | 164.310(d)(1) | Required / Addressable |
Technical Safeguards (45 CFR 164.312)
Technical safeguards are the technology and related policies and procedures used to protect ePHI and control access to it.
| Standard | CFR Reference | Type |
|---|---|---|
| Access Control | 164.312(a)(1) | Required / Addressable |
| Audit Controls | 164.312(b) | Required |
| Integrity | 164.312(c)(1) | Addressable |
| Person or Entity Authentication | 164.312(d) | Required |
| Transmission Security | 164.312(e)(1) | Addressable |
Tracking Implementation Status
For each safeguard in Venvera, track:
- Status — Not Started, In Progress, Implemented, Not Applicable
- Implementation Details — Description of how the safeguard is implemented
- Responsible Person — The individual or role accountable for the safeguard
- Evidence — Attach documentation, screenshots, or policy references
- Review Date — Next scheduled review or reassessment date
- Addressable Rationale — For addressable specifications, document the assessment of reasonableness and appropriateness, and any equivalent alternative measures
Cross-Framework Mapping
Many HIPAA safeguards map directly to controls in other frameworks. Venvera automatically cross-references HIPAA safeguards with equivalent controls in ISO 27001, NIST CSF, SOC 2, and other enabled frameworks to reduce duplicate effort.