← Frameworks / Healthcare Regulation

HIPAA Security Rule (45 CFR Part 160 and Part 164, Subparts A and C)

US federal regulation establishing national standards for protecting electronic protected health information (ePHI). 63 specifications across administrative safeguards (security management, workforce security, information access, awareness training, security incident procedures, contingency planning), physical safeguards (facility access, workstation use, device controls), and technical safeguards (access control, audit controls, integrity, authentication, transmission security). Covers all HIPAA covered entities and business associates.

Clauses: 63

Avg Coverage: 86.6%

Publisher: U.S. Department of Health and Human Services (HHS) Version: 2013 (Omnibus Rule)

HIPAA Security Rule → SP 800-53 SP 800-53 → HIPAA Security Rule Coverage Analysis

Clause	Title	SP 800-53 Controls
§164.308(a)(1)(i)	Security Management Process (Standard)	PL-01 PL-02 PM-01 PM-03 PM-09 PM-10 PM-11 RA-01 RA-02 RA-03 CA-02 CA-05 CA-07
§164.308(a)(1)(ii)(A)	Risk Analysis (Required)	RA-01 RA-02 RA-03 RA-05 RA-07 RA-09 PM-09 CA-02 CA-07
§164.308(a)(1)(ii)(B)	Risk Management (Required)	RA-03 RA-07 PM-09 PM-10 CA-05 CA-07 PL-02 PL-10 PL-11
§164.308(a)(1)(ii)(C)	Sanction Policy (Required)	PS-08 PL-04 PS-01 PS-06
§164.308(a)(1)(ii)(D)	Information System Activity Review (Required)	AU-01 AU-02 AU-03 AU-06 AU-07 AU-09 AU-11 AU-12 AU-13 AU-14 SI-04 CA-07
§164.308(a)(2)	Assigned Security Responsibility (Standard, Required)	PM-02 PM-01 PL-01 PM-10 PS-01 PM-24
§164.308(a)(3)(i)	Workforce Security (Standard)	AC-01 AC-02 AC-03 AC-05 AC-06 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07
§164.308(a)(3)(ii)(A)	Authorization and/or Supervision (Addressable)	AC-02 AC-03 AC-05 AC-06 PS-02 PS-03
§164.308(a)(3)(ii)(B)	Workforce Clearance Procedure (Addressable)	PS-02 PS-03 PS-06 AC-02 AC-06
§164.308(a)(3)(ii)(C)	Termination Procedures (Addressable)	PS-04 PS-05 PS-08 AC-02 IA-04
§164.308(a)(4)(i)	Information Access Management (Standard)	AC-01 AC-02 AC-03 AC-04 AC-06 AC-24 SC-04
§164.308(a)(4)(ii)(A)	Isolating Healthcare Clearinghouse Functions (Required)	AC-04 SC-02 SC-03 SC-07 SC-32
§164.308(a)(4)(ii)(B)	Access Authorization (Addressable)	AC-02 AC-03 AC-06 AC-24 PS-06
§164.308(a)(4)(ii)(C)	Access Establishment and Modification (Addressable)	AC-02 AC-03 AC-05 AC-06 IA-04 IA-05
§164.308(a)(5)(i)	Security Awareness and Training (Standard)	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14
§164.308(a)(5)(ii)(A)	Security Reminders (Addressable)	AT-02 AT-06 SI-05 PM-13
§164.308(a)(5)(ii)(B)	Protection from Malicious Software (Addressable)	SI-03 SI-04 SI-08 AT-02 SC-44
§164.308(a)(5)(ii)(C)	Log-in Monitoring (Addressable)	AC-07 AU-02 AU-06 AU-12 SI-04
§164.308(a)(5)(ii)(D)	Password Management (Addressable)	IA-01 IA-04 IA-05 IA-06 IA-11
§164.308(a)(6)(i)	Security Incident Procedures (Standard)	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
§164.308(a)(6)(ii)	Response and Reporting (Required)	IR-04 IR-05 IR-06 IR-07 AU-06 SI-04 SI-05
§164.308(a)(7)(i)	Contingency Plan (Standard)	CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10
§164.308(a)(7)(ii)(A)	Data Backup Plan (Required)	CP-09 CP-06 MP-04 MP-05
§164.308(a)(7)(ii)(B)	Disaster Recovery Plan (Required)	CP-02 CP-07 CP-08 CP-10 CP-06
§164.308(a)(7)(ii)(C)	Emergency Mode Operation Plan (Required)	CP-02 CP-10 CP-11 CP-12 CP-13 PE-10 PE-11
§164.308(a)(7)(ii)(D)	Testing and Revision Procedures (Addressable)	CP-03 CP-04 CA-02 CA-07
§164.308(a)(7)(ii)(E)	Applications and Data Criticality Analysis (Addressable)	RA-02 RA-09 CP-02 PM-11
§164.308(a)(8)	Evaluation (Standard, Required)	CA-01 CA-02 CA-05 CA-07 RA-03 RA-05 PM-06 PM-14
§164.308(b)(1)	Business Associate Contracts and Other Arrangements (Standard)	SA-04 SA-09 PS-07 CA-03 PM-08 PT-01
§164.308(b)(3)	Written Contract or Other Arrangement (Required)	SA-04 SA-09 CA-03 PS-07
§164.310(a)(1)	Facility Access Controls (Standard)	PE-01 PE-02 PE-03 PE-04 PE-05 PE-06 PE-07 PE-08 PE-18
§164.310(a)(2)(i)	Contingency Operations (Addressable)	PE-01 PE-03 CP-02 CP-07 PE-10 PE-11
§164.310(a)(2)(ii)	Facility Security Plan (Addressable)	PE-01 PE-02 PE-03 PE-06 PL-02
§164.310(a)(2)(iii)	Access Control and Validation Procedures (Addressable)	PE-02 PE-03 PE-06 PE-08 IA-02 IA-08
§164.310(a)(2)(iv)	Maintenance Records (Addressable)	MA-01 MA-02 MA-03 MA-05 MA-06
§164.310(b)	Workstation Use (Standard, Required)	AC-01 AC-11 AC-17 AC-20 PL-04 SC-15 PE-18
§164.310(c)	Workstation Security (Standard, Required)	PE-01 PE-02 PE-03 AC-11 MP-02 SC-28
§164.310(d)(1)	Device and Media Controls (Standard)	MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07
§164.310(d)(2)(i)	Disposal (Required)	MP-06 MP-01 SR-12
§164.310(d)(2)(ii)	Media Re-use (Required)	MP-06 MP-07
§164.310(d)(2)(iii)	Accountability (Addressable)	MP-04 MP-05 CM-08 PE-16 PE-20
§164.310(d)(2)(iv)	Data Backup and Storage (Addressable)	CP-09 CP-06 MP-04 SC-28
§164.312(a)(1)	Access Control (Standard)	AC-01 AC-02 AC-03 AC-06 AC-07 AC-11 AC-17 AC-24 SC-13 SC-28
§164.312(a)(2)(i)	Unique User Identification (Required)	IA-01 IA-02 IA-04 IA-08 AC-02
§164.312(a)(2)(ii)	Emergency Access Procedure (Required)	AC-02 AC-14 CP-02 CP-10
§164.312(a)(2)(iii)	Automatic Logoff (Addressable)	AC-11 AC-12 SC-10
§164.312(a)(2)(iv)	Encryption and Decryption (Addressable)	SC-12 SC-13 SC-28
§164.312(b)	Audit Controls (Standard, Required)	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 AU-14
§164.312(c)(1)	Integrity (Standard)	SI-01 SI-07 SC-08 SC-28 SI-10
§164.312(c)(2)	Mechanism to Authenticate Electronic Protected Health Information (Addressable)	SI-07 SC-08 SC-28 AU-10
§164.312(d)	Person or Entity Authentication (Standard, Required)	IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 IA-08 IA-09 IA-11 IA-12
§164.312(e)(1)	Transmission Security (Standard)	SC-01 SC-07 SC-08 SC-12 SC-13 SC-23 AC-17 AC-18
§164.312(e)(2)(i)	Integrity Controls (Addressable)	SC-08 SI-07 AU-10
§164.312(e)(2)(ii)	Encryption (Addressable)	SC-08 SC-12 SC-13 SC-17
§164.314(a)(1)	Business Associate Contracts or Other Arrangements (Standard)	SA-04 SA-09 PS-07 CA-03 PM-08 SR-01 SR-02 SR-03
§164.314(a)(2)	Business Associate Contract Requirements (Required)	SA-04 SA-09 CA-03 PS-07 SR-03
§164.314(b)(1)	Requirements for Group Health Plans (Standard)	AC-04 SC-07 SA-09 PM-08
§164.314(b)(2)	Group Health Plan Implementation Specifications (Required)	AC-03 AC-04 AC-06 SC-07 SC-32
§164.316(a)	Policies and Procedures (Standard, Required)	PL-01 PL-02 PL-04 PM-01 PM-03 PM-09 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01 PT-01
§164.316(b)(1)	Documentation (Standard)	PL-02 PM-01 AU-01 CA-01 CM-01 SA-05
§164.316(b)(2)(i)	Time Limit (Required)	AU-11 SI-12
§164.316(b)(2)(ii)	Availability (Required)	SA-05 CM-06 PM-01 PL-02
§164.316(b)(2)(iii)	Updates (Required)	PL-02 PM-01 CA-07 CM-03