Compliance Guide

HIPAA Compliance for Endpoints

A Practical Guide to the Security Rule's Technical Safeguards for Covered Entities and Business Associates

The HIPAA Security Rule requires covered entities and business associates to protect electronic protected health information (ePHI) with specific technical safeguards. This guide breaks down what those safeguards mean at the device level, and how Zecurit Endpoint Manager helps healthcare IT teams meet them.

Published byZecurit
CategoryCompliance & Regulation
AudienceHealthcare IT Teams, Security Officers, Compliance Leads

Why HIPAA Compliance Starts at the Endpoint

At a Glance
  • Who is impacted: Covered entities (providers, health plans, clearinghouses) and business associates that create, receive, maintain, or transmit ePHI.
  • What the law requires: The HIPAA Security Rule (45 CFR Part 164, Subpart C) mandates administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.
  • Why endpoints matter now: Workstations, laptops, and mobile devices are where ePHI is most often created, viewed, and lost. Access control, audit controls, and encryption requirements apply directly to these devices.
  • How Zecurit helps: BitLocker encryption, device control, access management, patch management, and audit-ready compliance reporting from a single agent and console.

The HIPAA Security Rule has governed how covered entities and business associates protect electronic protected health information since 2003, with its current technical safeguard structure dating to the 2013 Omnibus Rule. Unlike many regional regulations, HIPAA is enforced by the Department of Health and Human Services' Office for Civil Rights (OCR), and investigations consistently find the same root causes behind reportable breaches: missing risk analyses, unencrypted devices, and inadequate access controls.

Most large healthcare data breaches reported each year originate not at the data centre, but at the endpoint: a lost laptop, a stolen phone, an unpatched workstation, or a USB drive carrying patient records out the door. The Security Rule's technical safeguards exist specifically to close these gaps, and an effective endpoint management platform is how IT teams operationalise them day to day.

OCR's Most-Cited Deficiency: Across compliance investigations and breach reports, the failure to conduct a thorough and accurate risk analysis remains the single most frequently cited HIPAA Security Rule violation. Without visibility into where ePHI lives and how endpoints are configured, no risk analysis can be complete.

This guide maps the Security Rule's technical safeguards to specific capabilities in Zecurit Endpoint Manager, so healthcare IT and compliance teams can turn regulatory text into operational controls.

Key Terminology Under HIPAA

Three roles and one core asset definition recur throughout the Security Rule:

  • Covered Entity

    Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically in connection with covered transactions.

  • Business Associate

    Any organisation that creates, receives, maintains, or transmits ePHI on behalf of a covered entity, such as a billing service, IT vendor, or cloud provider.

  • ePHI

    Electronic protected health information: any individually identifiable health information created, received, stored, or transmitted in electronic form.

  • Workforce Member

    Employees, volunteers, trainees, and other persons under the direct control of a covered entity or business associate, regardless of whether they are paid.

  • Required vs. Addressable

    Under the current rule, "required" specifications must be implemented as written. "Addressable" specifications allow an alternative measure if documented as reasonable.

  • Minimum Necessary

    The principle that access to and disclosure of PHI should be limited to the minimum amount needed to accomplish the intended purpose.

Who Must Comply With HIPAA?

HIPAA's reach extends well beyond hospitals and clinics. Organisations bound by the Security Rule include:

  • Hospitals, clinics, and individual healthcare providers
  • Health insurers, HMOs, and employer-sponsored health plans
  • Healthcare clearinghouses processing claims data
  • Medical billing and revenue cycle management vendors
  • Cloud hosting and IT services providers handling ePHI
  • Electronic health record (EHR) and practice management vendors
  • Pharmacy benefit managers and laboratory services
  • Any subcontractor engaged by a business associate
Penalty Exposure: HIPAA penalties are tiered by culpability, ranging from unknowing violations to wilful neglect, with civil penalties that can reach into the millions of dollars per calendar year for repeated violations of an identical provision. Beyond fines, OCR routinely requires multi-year corrective action plans and ongoing monitoring following a significant breach.

The Three Safeguard Categories

The Security Rule organises its requirements into three safeguard categories under 45 CFR §164.308–312. Endpoint management touches all three, but technical safeguards are where it does the most direct work.

§164.308

Administrative Safeguards

Risk analysis, workforce training, sanction policies, and the assignment of security responsibility. These set policy; technical controls make the policy enforceable in practice.

§164.310

Physical Safeguards

Facility access controls, workstation use policies, and device and media controls covering the disposal, reuse, and movement of hardware that stores ePHI.

§164.312

Technical Safeguards

Access control, audit controls, integrity controls, person or entity authentication, and transmission security, the safeguards most directly enforced through endpoint management.

The Proposed 2026 Security Rule Update

HHS OCR published a Notice of Proposed Rulemaking in January 2025 outlining the most significant overhaul of the Security Rule since 2013. As of mid-2026, this remains a proposed rule, not final law, and OCR continues to enforce the current Security Rule while the proposal works through the rulemaking process.

Current Status: The proposed rule has not been finalised. A coalition of hospital and provider groups has asked HHS to withdraw or substantially revise it, and there is no confirmed date for a final rule. Organisations should treat the proposal as a strong directional signal worth preparing for, not as an active legal requirement.

If finalised in anything close to its proposed form, the update would remove the "addressable" category entirely, making encryption, multi-factor authentication, network segmentation, and annual penetration testing mandatory rather than optional. It would also shorten the security incident response window to 72 hours and require covered entities to obtain annual written verification that business associates have implemented required safeguards, rather than relying on a signed agreement alone.

Healthcare IT teams that build asset inventories, encryption coverage, and access control discipline now will be in a far stronger position whenever, and if, the final rule lands, since every one of these proposed controls is already a security best practice under the current rule.

Security Rule Technical Safeguards Mapped to Zecurit Endpoint Manager

The following sections translate each technical safeguard under 45 CFR §164.312, along with the device and media controls under §164.310(d), into the specific Zecurit capabilities that support compliance.

Safeguard 01

Access Control

45 CFR §164.312(a)(1)

Covered entities and business associates must implement technical policies and procedures that allow access to ePHI only to those persons or software programs that have been granted access rights, including unique user identification, emergency access procedures, and automatic logoff.

Zecurit Endpoint Manager

Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely, assign unique credentials per workforce member, and enforce password policies from a central console. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, supporting the unique identification and access restriction this safeguard requires.

User and Group ManagementRole-Based AccessSession Confirmation and Audit
Safeguard 02

Audit Controls

45 CFR §164.312(b)

Organisations must implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Without this evidence, breach investigations and OCR audits cannot establish what happened or when.

Zecurit Endpoint Manager

The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns, and Device Control logs every connection attempt and blocked event with a timestamp and user account, building the activity record auditors and investigators rely on.

Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Safeguard 03

Integrity Controls

45 CFR §164.312(c)(1)

Organisations must implement policies and procedures to protect ePHI from improper alteration or destruction, whether caused by malicious activity, user error, or system failure.

Zecurit Endpoint Manager

Security Alerts immediately flag when antivirus or antimalware protection is disabled on any endpoint, a primary vector for the unauthorised alteration of files. Hardware and software change alerts detect unexpected modifications to a device's configuration, and Configuration Management enforces consistent security baselines so endpoints cannot silently drift out of a compliant state.

Security AlertsHardware/Software Change AlertsConfiguration Management
Safeguard 04

Person or Entity Authentication

45 CFR §164.312(d)

Organisations must implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be, before access is granted.

Zecurit Endpoint Manager

User and Group Management enforces password policy at the endpoint level, ensuring every workforce member authenticates with their own verified credentials rather than shared local accounts. Remote Access sessions require the end user to explicitly confirm any incoming session before access is granted, adding a verification step beyond password authentication alone.

User and Group ManagementSession Confirmation and Audit
Safeguard 05

Transmission Security

45 CFR §164.312(e)(1)

Organisations must implement technical security measures to guard against unauthorised access to ePHI being transmitted over an electronic communications network, including measures to prevent improper modification during transmission.

Zecurit Endpoint Manager

Device Control restricts how ePHI can leave a managed endpoint in the first place, blocking unauthorised removable storage, Bluetooth transfer, and wireless adapters that could otherwise move data outside approved channels. Configuration Management deploys firewall rules centrally, controlling which network paths are available to each endpoint.

Device ControlUSB/Removable Storage PoliciesFirewall Configuration
Safeguard 06

Encryption and Decryption

45 CFR §164.312(a)(2)(iv), §164.312(e)(2)(ii)

Encryption of ePHI, both at rest and in transit, is currently an addressable specification, meaning organisations must implement it or document why an equivalent alternative measure is reasonable and appropriate. OCR breach investigations routinely treat unencrypted devices as a critical finding.

Zecurit Endpoint Manager

BitLocker Management enforces drive encryption across every managed Windows endpoint from a central console, supporting TPM-only, TPM+PIN, and passphrase authentication modes. Recovery keys are backed up automatically, and BitLocker Compliance Reports identify any unprotected devices, turning an addressable specification into a demonstrable, fleet-wide control.

BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Safeguard 07

Device and Media Controls

45 CFR §164.310(d)(1)

This physical safeguard requires policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI into and out of a facility, as well as their movement within a facility, including disposal and reuse.

Zecurit Endpoint Manager

Hardware Inventory and geo-location tracking give IT teams continuous visibility into where managed devices physically are, supporting accountability as equipment moves between facilities, departments, and workforce members. Asset Discovery auto-onboards new devices the moment they connect, preventing unmanaged hardware from slipping outside policy.

Hardware InventoryGeo Location TrackingAsset Discovery
Safeguard 08

Risk Analysis and Vulnerability Management

45 CFR §164.308(a)(1)(ii)(A)

This administrative safeguard requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and OCR's own enforcement data identifies this as the most commonly missed or inadequately performed requirement.

Zecurit Endpoint Manager

Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and exploit intelligence. Vulnerability Management maps installed software against known CVEs, giving compliance teams the concrete, evidence-backed vulnerability data a thorough risk analysis depends on.

Patch ManagementVulnerability ManagementCVSS Prioritisation
Safeguard 09

Audit-Ready Compliance Reporting

Supports §164.308, §164.312(b)

When OCR opens an investigation, whether triggered by a complaint, a breach report, or a random audit, organisations must produce evidence of their safeguards quickly. Assembling that evidence manually under deadline pressure is when gaps and inconsistencies tend to surface.

Zecurit Endpoint Manager

Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for HIPAA, ISO 27001, PCI-DSS, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery emails these reports automatically, building a continuous compliance record rather than a one-time audit scramble.

100+ Compliance ReportsHIPAA Report TemplatesScheduled Report Delivery

HIPAA Technical Safeguards and Zecurit Endpoint Manager Capabilities

A consolidated reference mapping each Security Rule safeguard to the relevant Zecurit features, useful for risk analysis documentation and OCR audit preparation.

HIPAA SafeguardZecurit Endpoint Manager Capability
Access Control (§164.312(a)(1))User and Group ManagementRole-Based AccessSession Confirmation and Audit
Audit Controls (§164.312(b))Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs
Integrity Controls (§164.312(c)(1))Security AlertsHardware/Software Change AlertsConfiguration Management
Person/Entity Authentication (§164.312(d))User and Group ManagementSession Confirmation and Audit
Transmission Security (§164.312(e)(1))Device ControlUSB/Removable Storage PoliciesFirewall Configuration
Encryption and Decryption (§164.312(a)(2)(iv))BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports
Device and Media Controls (§164.310(d)(1))Hardware InventoryGeo Location TrackingAsset Discovery
Risk Analysis (§164.308(a)(1)(ii)(A))Patch ManagementVulnerability ManagementCVSS Prioritisation
Audit-Ready Reporting100+ Compliance ReportsHIPAA Report TemplatesScheduled Report Delivery

Compliance Lives on the Devices Where ePHI Actually Sits

HIPAA's technical safeguards are not abstract legal language. They translate directly into endpoint-level controls: who can log in, whether the drive is encrypted, whether antivirus is running, and whether anyone can plug in a USB drive and walk out with patient records. OCR's enforcement history shows that breaches consistently trace back to gaps in exactly these controls.

With a proposed Security Rule update on the horizon that would make encryption, MFA, and continuous monitoring mandatory rather than addressable, building strong endpoint discipline now puts your organisation ahead of regulatory change rather than scrambling to catch up to it.

Zecurit Endpoint Manager addresses the Security Rule's core technical safeguards from a single lightweight agent and unified console, giving healthcare IT teams the encryption, access control, monitoring, and reporting capabilities OCR expects to see, without stitching together separate point tools.

About Zecurit

Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.

To learn more about Zecurit Endpoint Manager and how it supports your HIPAA compliance programme, start a free 14-day trial or contact the Zecurit team.

Contact Zecurit