The HIPAA Security Rule
Finalized in 2003, the Security Rule covers only ePHI and binds both covered entities and business associates. It requires administrative, physical, and technical safeguards, is technology-neutral, and distinguishes required vs addressable implementation specifications.
The Security Rule establishes minimum security for ePHI that a covered entity or business associate receives, creates, maintains, or transmits. It is technology-neutral and aims for confidentiality, integrity, and availability of ePHI, plus protection against reasonably anticipated threats and impermissible uses.
The Privacy Rule covers ALL PHI in any form; the Security Rule covers only ePHI. The Security Rule uniquely addresses integrity, availability, data backup, and disaster recovery.
Specs are either Required specification (adopt as written) or Addressable specification (assess appropriateness; if declined, document why and adopt an alternative if reasonable). Programs must weigh size/complexity, technical infrastructure, cost, and probability/criticality of risks. Each entity must name a security official, conduct initial and ongoing risk assessments, and run a security awareness and training program with discipline for noncompliance.