← All frameworks
US US · 8 Policy & Process · US

HIPAA Security Rule

HIPAA Security Rule (45 CFR Part 164, Subpart C)

45 CFR 164.302-318

18 controls · 3 domains
Mandatory for: US federal law
Start assessment in platform →

About this framework

The HIPAA Security Rule is the US standard for protecting electronic health information. It requires healthcare organisations and their partners to apply administrative, physical, and technical safeguards to keep patient data secure.

Who needs this

Mandatory for US healthcare providers, health plans, and the vendors that handle patient data.

Cross-framework coverage

Controls in HIPAA Security Rule also cover:

NIST CSF 14 shared
CIS Controls 14 shared
NCA ECC-2 14 shared
Qatar NIA 14 shared
UAE IA 14 shared

See how HIPAA Security Rule connects to the rest → the Security Universe

Control domains

administrative-safeguards · Administrative Safeguards 9
164.308(a)(1)
Security Management Process
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(2)
Assigned Security Responsibility
NIST CSFCIS ControlsISO 27001DORAGDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(3)
Workforce Security
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(4)
Information Access Management
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(5)
Security Awareness and Training
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2Qatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(6)
Security Incident Procedures
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(a)(7)
Contingency Plan
NIST CSFCIS ControlsISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IANCA OTCCADHICS
164.308(a)(8)
Evaluation
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.308(b)(1)
Business Associate Contracts and Other Arrangement
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2DORAGDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
physical-safeguards · Physical Safeguards 4
164.310(a)(1)
Facility Access Controls
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.310(b)
Workstation Use
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSCyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPR
164.310(c)
Workstation Security
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.310(d)(1)
Device and Media Controls
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSDORAGDPR (EU)UK GDPR
technical-safeguards · Technical Safeguards 5
164.312(a)(1)
Access Control
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.312(b)
Audit Controls
NIST CSFCIS ControlsPCI DSS 4.0.1GDPR (EU)UK GDPRISO 27001NIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.312(c)(1)
Integrity
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSDORA
164.312(d)
Person or Entity Authentication
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsCyber Essentials PlusNIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
164.312(e)(1)
Transmission Security
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001NIS2GDPR (EU)UK GDPRNCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS

Ready to assess against HIPAA Security Rule?

Start free trial →