Skip to main content

HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, published by the U.S. Department of Health and Human Services (HHS), establishes national standards for protecting electronic protected health information (ePHI). It applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — as well as any business associates that create, receive, maintain, or transmit ePHI on their behalf. The Security Rule takes a technology-neutral approach, specifying required and addressable implementation specifications without mandating specific technical solutions. This flexibility allows organizations to implement controls appropriate to their size, complexity, and risk profile — but it also requires documented risk analysis and risk management to justify the safeguards chosen. A HIPAA audit or enforcement action will scrutinize both your controls and your documentation of why you implemented them. Ayliea’s 80-question HIPAA assessment evaluates your implementation across the Security Rule’s three safeguard categories: administrative, physical, and technical. It is designed to surface gaps before an audit or breach rather than after.

What Ayliea Assesses

The assessment maps to the Security Rule’s three safeguard categories and the major standards within each.
The largest safeguard category by question count. Covers your security management process (including risk analysis and risk management), assigned security responsibility, workforce training and access management, information access controls, security incident procedures, contingency planning, and evaluation procedures. Required specifications are assessed as binary; addressable specifications are evaluated based on your documented rationale and chosen alternatives.
Controls protecting physical access to systems that store or process ePHI. Evaluates facility access controls, workstation use policies and security, and device and media controls — including disposal, re-use, and accountability for hardware assets containing ePHI.
Access control, audit controls, integrity controls, authentication, and transmission security. Questions assess encryption at rest and in transit, unique user identification, emergency access procedures, automatic logoff, and encryption of ePHI transmitted over open networks.
Business associate agreements, group health plan requirements, and the existence of documented policies and procedures. Evaluates whether your documentation is current, accessible to workforce members who need it, and retained for the required six-year period.

Who Needs This Assessment

  • Healthcare providers (hospitals, clinics, physician practices, mental health providers) that transmit health information electronically
  • Health plans and health insurance companies
  • Healthcare clearinghouses that process health information
  • Business associates — IT vendors, billing companies, cloud providers, legal firms, and any other entity that handles ePHI on behalf of a covered entity
  • Organizations preparing for an HHS Office for Civil Rights (OCR) audit
  • Healthcare organizations conducting their annual HIPAA risk analysis as required by the Security Rule
  • Any organization that has recently experienced a breach and is remediating identified gaps

Getting Started

The HIPAA Security Rule assessment requires an Organization subscription. Select HIPAA from the framework list in the Assess tab. The assessment is structured around the three safeguard categories, making it straightforward to assign different sections to the people in your organization with operational responsibility for each area. For step-by-step instructions, see the Quickstart guide.