GRCCopilot
Sign In
U.S. Department of Health and Human Services (HHS), Office for Civil Rights

HIPAA Security Rule

U.S. federal law mandating protection of electronic Protected Health Information across healthcare and business associates

Start Assessment Create Free Account
38
Controls
114
Questions
Active
Status

About this Framework

The HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI) created, received, used or maintained by covered entities. Requiring administrative, physical and technical safeguards, violations result in civil penalties from $100 to $50,000 per violation with annual caps reaching $1.9 million per violation category, plus potential criminal prosecution.

Key Control Domains

Administrative Safeguards
Physical Safeguards
Technical Safeguards
Organisational Requirements
Policies & Procedures
Documentation Requirements

Who Needs This?

  • Healthcare providers (hospitals, clinics, physicians)
  • Health plans and health insurance companies
  • Healthcare clearinghouses
  • Business associates handling ePHI (IT vendors, cloud providers, consultants)

Compliance Benefits

  • Legal compliance and avoidance of OCR fines
  • Patient trust and protection of sensitive health data
  • Prerequisite for healthcare IT vendor contracts
  • Structured ePHI risk management program

Official Reference

HHS HIPAA Security Rule
https://www.hhs.gov/hipaa/for-professionals/security/index.html

Assessment Details

Issuer / AuthorityU.S. Department of Health and Human Services (HHS), Office for Civil Rights
FrameworkHIPAA Security Rule
Controls38
Questions114
StatusActive
Assessment Start10 May 2026

Share this Assessment

Share this permanent link with your team, clients or auditors.

https://grcopilot.app/frameworks/hipaa-security-rule

Sign in to begin this assessment

Create a free GRC Copilot account to access this and 50+ other security and compliance frameworks.

Sign In Register Free