HIPAA Security Rule

US federal requirements for protecting electronic protected health information (ePHI).

2013 Final Rule54 Controls Mapped

Overview

The HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards. While HIPAA does not specify exact technologies, it mandates risk analysis, access controls, audit controls, integrity controls, and transmission security. Organizations must document their security measures and ensure workforce members are trained on policies.

Legal compliance for healthcare organizations
Protects patient privacy and trust
Reduces breach notification obligations
Required for healthcare industry contracts
Demonstrates commitment to data protection

Published by

U.S. Department of Health and Human Services

Official Documentation

TrueConfig Control Mappings

TrueConfig maps 54 security controls to HIPAA requirements, helping you demonstrate compliance and identify gaps.

18

critical

21

high

12

medium

3

low

Identity & Authentication

5 controls

ID-01User MFA Registration
critical
ID-02Block Legacy Authentication
high
ID-03Enable Self-Service Password Reset
medium
ID-05Configure Smart Lockout Protection
high
ID-04Require Phishing-Resistant MFA for All Users
critical

Privileged Access

8 controls

PA-01Limit Global Administrators to 2-4
critical
PA-02Use Dedicated Admin Accounts
high
PA-03Configure Emergency Access Accounts
critical
PA-01-L2Eliminate Permanent Global Administrators
critical
PA-04Require PIM for All Privileged Roles
critical
+3 more controls

Conditional Access

12 controls

CA-01Require MFA via Conditional Access Policy
critical
CA-02Require MFA for All Administrators
critical
CA-08Block Access from High-Risk Countries
medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
medium
DV-01Require Compliant Devices for Admin Access
high
+7 more controls

Workload Identity & Applications

8 controls

APP-01Application Ownership for Apps with Credentials
low
APP-02Enforce Application Credential Expiration
critical
APP-05Service Principal Credential Hygiene
critical
APP-08Restrict User Application Consent
high
APP-03Internal App Registration Permissions
high
+3 more controls

Guest & External Access

7 controls

EXT-01Restrict Guest Invitation Permissions
high
EXT-02Require MFA for Guest Users
medium
EXT-06External Sharing Visibility
medium
EXT-07Detect External Mail Forwarding
critical
EXT-04Configure Guest Access Expiration
medium
+2 more controls

Governance & Hygiene

6 controls

GOV-01Review Stale User Accounts
medium
GOV-05Maintain Group Naming Conventions
low
GOV-07Audit Privileged Role Assignments
high
GOV-02Automatically Disable Stale Accounts
medium
GOV-03Conduct Quarterly Privileged Access Reviews
high
+1 more controls

Logging & Visibility

5 controls

LOG-01Enable Unified Audit Logging
high
LOG-04Configure Privileged Operation Alerts
critical
LOG-02Export Logs to Long-Term Storage
medium
LOG-05Admin Activity Anomaly Detection
high
LOG-03Stream All Security Events to SIEM in Real-Time
high

License Management

1 controls

LIC-01License Utilization Visibility
low

Data Protection

2 controls

DLP-01Enable Sensitive Data Classification
high
DLP-02Block Bulk Data Exfiltration
critical

Who Needs HIPAA?

Target Industries

HealthcareInsuranceTechnologyPharmaceutical

Audience Types

regulatedenterprise

Frequently Asked Questions

What is HIPAA Security Rule?
The HIPAA Security Rule establishes national standards to protect electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards. While HIPAA does not specify exact technologies, it mandates risk analysis, access controls, audit controls, integrity controls, and transmission security. Organizations must document their security measures and ensure workforce members are trained on policies.
How does TrueConfig help with HIPAA compliance?
TrueConfig maps 54 security controls to HIPAA requirements. Each control includes specific guidance on how it satisfies HIPAA requirements, making it easier to demonstrate compliance and identify gaps.
Who needs to comply with HIPAA?
HIPAA is typically required or recommended for organizations in regulated industries, enterprise organizations. Industries that commonly need this framework include healthcare, insurance, technology.
What are the key benefits of HIPAA compliance?
Legal compliance for healthcare organizations Protects patient privacy and trust Reduces breach notification obligations Required for healthcare industry contracts Demonstrates commitment to data protection

Related Frameworks

CIS Benchmark

Industry-standard security configuration guide for Microsoft 365 developed by the Center for Internet Security.

53 controls →

SOC 2

Service organization control framework for security, availability, processing integrity, confidentiality, and privacy.

54 controls →

ISO 27001

International standard for information security management systems with Annex A controls.

54 controls →

Automate HIPAA Compliance

TrueConfig continuously monitors your Microsoft 365 tenant against HIPAA requirements and helps you remediate deviations automatically.

Start Free Trial