ControlMap

How to Comply with HIPAA Security Rule

The HIPAA Security Rule (45 CFR Part 164) establishes national standards for protecting electronic protected health information (ePHI). It requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. The rule includes both required and addressable implementation specifications.

94%
Coverage
46
Controls Required
3
Not Applicable

Why HIPAA Compliance Matters

HIPAA Security Rule compliance is required for all covered entities (healthcare providers, health plans, clearinghouses) and their business associates that handle electronic protected health information (ePHI). Violations can result in fines ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. OCR audits and breach investigations make compliance a business necessity.

Compliance Checklist by Domain

The 46 controls below are mapped to HIPAA requirements. Work through each domain to build your compliance program.

Govern (6 controls)

ControlHIPAA ReferencesAlso In
Governance Policy §164.308(a)(1)(i) §164.316(a) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Risk Management §164.308(a)(1)(ii)(A) §164.308(a)(1)(ii)(B) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Supply Chain Risk §164.308(b)(1) §164.314(a)(1) NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, GDPR
Roles & Responsibilities §164.308(a)(2) §164.308(a)(3)(i) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Compliance §164.308(a)(8) §164.316(b)(1) NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Vendor Risk Mgmt §164.308(b)(1) §164.314(a)(1) §164.314(a)(2)(i) NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, GDPR

Identify (5 controls)

ControlHIPAA ReferencesAlso In
Asset Management §164.310(d)(1) §164.310(d)(2)(iii) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Risk Assessment §164.308(a)(1)(ii)(A) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Business Environment §164.308(a)(1)(i) NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, GDPR
Data Classification §164.312(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Vulnerability Mgmt §164.308(a)(1)(ii)(A) §164.308(a)(8) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Protect (19 controls)

ControlHIPAA ReferencesAlso In
Awareness & Training §164.308(a)(5)(i) §164.308(a)(5)(ii)(A) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Access Control §164.312(a)(1) §164.312(a)(2)(i) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Multi-Factor Auth §164.312(d) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Encryption §164.312(a)(2)(iv) §164.312(e)(2)(ii) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Data Protection §164.312(a)(2)(iv) §164.312(c)(1) §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Backup & Recovery §164.308(a)(7)(ii)(A) §164.310(d)(2)(iv) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Privileged Access §164.312(a)(1) §164.308(a)(3)(ii)(B) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Firewall / Net Seg §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Endpoint Protection §164.308(a)(5)(ii)(B) §164.310(d)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Patch Management §164.308(a)(1)(ii)(A) §164.308(a)(8) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Secure Config §164.310(d)(1) §164.312(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Email Security §164.308(a)(5)(ii)(A) §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Web Security §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Zero Trust §164.312(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Mobile Security §164.310(d)(1) §164.312(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Cloud Security §164.308(b)(1) §164.314(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
WAF §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
DLP §164.312(a)(1) §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
API Security §164.312(a)(1) §164.312(e)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Detect (6 controls)

ControlHIPAA ReferencesAlso In
Cont. Monitoring §164.312(b) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Logging & Audit §164.312(b) §164.308(a)(1)(ii)(D) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Intrusion Detection §164.308(a)(1)(ii)(D) §164.312(b) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Anomaly Detection §164.308(a)(1)(ii)(D) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
SIEM / SOC §164.308(a)(1)(ii)(D) §164.312(b) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Insider Threat §164.308(a)(3)(ii)(A) §164.308(a)(4) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Respond (5 controls)

ControlHIPAA ReferencesAlso In
Incident Response §164.308(a)(6)(i) §164.308(a)(6)(ii) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Forensics §164.308(a)(6)(ii) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Communication §164.308(a)(6)(ii) §164.404(a)(1) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Mitigation §164.308(a)(6)(ii) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Reporting §164.308(a)(6)(ii) §164.404(a)(1) §164.408(a) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Recover (5 controls)

ControlHIPAA ReferencesAlso In
Recovery Planning §164.308(a)(7)(i) §164.308(a)(7)(ii)(B) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Business Continuity §164.308(a)(7)(i) §164.308(a)(7)(ii)(C) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Lessons Learned §164.308(a)(8) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Comms & Restore §164.308(a)(7)(ii)(C) NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, CMMC, 800-53, GDPR
Disaster Recovery §164.308(a)(7)(ii)(A) §164.308(a)(7)(ii)(B) NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, GDPR

Controls Not Required by HIPAA

These 3 controls are not directly addressed by HIPAA but may still be relevant to your security program.

Ti
Threat Intelligence
Identify
Sd
Secure Development
Protect
Ds
DNS Security
Protect

How HIPAA Compares

See how HIPAA coverage overlaps with other frameworks:

46
NIST CSF 2.0
shared controls
46
ISO 27001
shared controls
41
CIS v8
shared controls
46
SOC 2
shared controls
46
PCI DSS
shared controls
43
CMMC
shared controls
46
800-53
shared controls
46
GDPR
shared controls
View HIPAA Framework Page Explore in Dashboard