HIPAA Security Safeguards: Administrative, Physical & Technical

Instructor: Beth Hendricks

Beth holds a master's degree in integrated marketing communications, and has worked in journalism and marketing throughout her career.

HIPAA's Security Rule sets forth specific safeguards that medical providers must adhere to. In this lesson, you'll learn more about the administrative, physical and technical safeguards designed to protect patient data.

Protecting Data

The Health Insurance Portability and Accountability Act (HIPAA) was designed to ensure that patients' protected health information, or identifying personal or medical data, would be safeguarded and kept private.

In order to ensure that privacy, certain security safeguards were created, which are protections that are either administrative, physical or technical. After all, keeping a patient's medical data protected would require things like ensuring only appropriate personnel have access to records or that adequate training is conducted to keep workers abreast of privacy concerns.

Let's take a look at the safeguards used under the Security Rule of HIPAA. It is essentially a three-pronged approach to keeping data protected.

Security Safeguards

The HIPAA Security Rule set apart some safeguards that lawmakers felt were important when covered entities like hospitals or physicians' offices were to collect, maintain or share patient data. In order to be HIPAA-compliant, these entities must comply with each of these safeguard categories to help ensure patient confidentiality, mitigate risks or threats to data and protect against unauthorized disclosures.

Here's what they came up with.


Administrative safeguards occur at the administrative level of an organization and include policies and procedures designed to protect patient information. That might take the form of designating a security official whose job it is to create office-wide policies, enforce them and train employees on HIPAA measures.

Other administrative functions might be conducting risk assessments, regularly evaluating the effectiveness of the entity's security measures and keeping a handle on the type of information disclosed, such as to another physician the patient is being referred to.

A hospital that is complying with administrative safeguards will conduct training sessions on HIPAA-related matters for all applicable employees and continue training them as necessary, such as after a breach, for example.

Specific administrative safeguards, according to HIPAA, include:

Administrative Safeguard What it Includes
Security Management Process Risk assessments and security measures
Security Personnel Assigning a security official to create and implement policies
Information Access Management Access authorization to medical records
Workforce Training/Management Training and education programs for employees
Evaluation Tracking the effectiveness of security measures


Physical safeguards are actual physical protections put in place to protect electronic systems, workplace equipment and patient data. These types of safeguards help to limit unauthorized workstation access, ensure that patient data is moved or disposed of properly and protect even the physical facilities where rereads are located. To that end, it also incorporates policies and procedures designed to physically protect records, equipment and an entity's buildings.

An example of physical safeguards in action might be an entity's policy not to let employees take work laptops home on the weekends to protect against a computer being stolen and/or information being accessed by unauthorized individuals.

Specific physical safeguards, according to HIPAA, include:

Physical Safeguard What it Includes
Facility Access/Control Limiting access to buildings or facilities where patient data is used.
Workstation/Device Security Maintaining security controls over work computers and other devices where patient data is stored.


Technical safeguards refer to the automated processes that employees use to access patient data. Think of things like log-on credentials, passkeys, passwords and other authentication measures that allow only authorized employees access to information.

To unlock this lesson you must be a Study.com Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use Study.com

Become a Study.com member and start learning now.
Become a Member  Back
What teachers are saying about Study.com
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? Study.com has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account