So you want to learn about the HIPAA Security Rule?  Be warned: it is a complex regulation, so this "tour" cannot be a simple one. For the tour, we make use of our glossary entries for the Security Rule, which are numerous and, in some cases, rather lengthy. (Note also that these entries are written so that they may be read independently. If you march through them one after another, you'll have to endure some redundancies.)

The good news is that the Security Rule is logically structured and relatively compact given its broad aim to generate a complete framework for electronic information security. By contrast, the hopelessly convoluted (and much longer) HIPAA Privacy Rule is the dog's breakfast.

The bad news is, as you will soon see, that the Security Rule only sets a general structure. It is up to each organization to determine the details of (to use the Rule's two favorite adjectives) "reasonable and appropriate" security arrangements. That will require continually looking outward to the practices of similar entities, as well as consulting the evolving standards and recommendations of professional organizations.

Do not despair! Much of what the Rule requires -- DHHS would say ALL of it -- is simply common sense information security practice. You and your organization are probably doing most of it already. (And if you are not, chances are you're already in violation of your state's privacy laws as well as the norms of various professional organizations. So, in that case, get busy.)

It is not expected that you will remember everything you read (or glance at) in these entries. The point is to gain an overall familiarity with the material and, of equal importance, a sense of where you can find information when specific questions arise. If you cannot find the answer you are looking for in these entries, please feel free to contact us.

As you read entries, you can use your browser's back button to return to this page, or you can pursue links within each entry that will take you on a different path. (As you proceed, the links will change from blue to purple, to remind you of what you've already visited.)

There is no one right way to use the materials here. Let your curiosity and your information needs be your guide.

Security Rule parameters

• overview of the Rule
• "electronic" applicability
• standards and implementation specifications
• policies and procedures
• documentation
• organizational arrangements
• enforcement

Security standards and implementation specifications

• administrative safeguards
  • security management process
  • assigned security responsibility
  • workforce security
  • information access management
  • security awareness and training
  • security incident procedures
  • contingency plan
  • security evaluation
  • business associate contracts and other arrangements
• physical safeguards
  • facility access controls
  • workstation use
  • workstation security
  • device and media controls
• technical safeguards
  • access control
  • audit controls
  • data integrity
  • person or entity authentication
  • transmission security

Timetable for implementation

• HIPAA regulatory calendar

Other parts of HIPAA

• "administrative simplification" overview
• identifier standards
• privacy standards
• transaction and code set standards

More background information

• privacy and confidentiality basics
• security and data protection basics
• fair information principles and practices
• professional codes and data protection obligations

Topics in information security

• access control
• assurance
• audit trails
• authentication of identity
• biometrics
• confidentiality, integrity, availability
• cryptography
• electronic mail
• electronic signatures
• facsimile (fax) devices
• malicious software
• passwords
• photocopiers and printers
• portable computing devices
• prevention, detection, response
• risk assessment
• secure disposal
• security policies
• systems
• telephone use
• tokens
• wireless network devices

last modified: 03-Oct-2003 [RC]