The HIPAA Security Rule requires covered entities and business associates to protect electronic protected health information (ePHI) with specific technical safeguards. This guide breaks down what those safeguards mean at the device level, and how Zecurit Endpoint Manager helps healthcare IT teams meet them.
The HIPAA Security Rule has governed how covered entities and business associates protect electronic protected health information since 2003, with its current technical safeguard structure dating to the 2013 Omnibus Rule. Unlike many regional regulations, HIPAA is enforced by the Department of Health and Human Services' Office for Civil Rights (OCR), and investigations consistently find the same root causes behind reportable breaches: missing risk analyses, unencrypted devices, and inadequate access controls.
Most large healthcare data breaches reported each year originate not at the data centre, but at the endpoint: a lost laptop, a stolen phone, an unpatched workstation, or a USB drive carrying patient records out the door. The Security Rule's technical safeguards exist specifically to close these gaps, and an effective endpoint management platform is how IT teams operationalise them day to day.
This guide maps the Security Rule's technical safeguards to specific capabilities in Zecurit Endpoint Manager, so healthcare IT and compliance teams can turn regulatory text into operational controls.
Three roles and one core asset definition recur throughout the Security Rule:
Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically in connection with covered transactions.
Any organisation that creates, receives, maintains, or transmits ePHI on behalf of a covered entity, such as a billing service, IT vendor, or cloud provider.
Electronic protected health information: any individually identifiable health information created, received, stored, or transmitted in electronic form.
Employees, volunteers, trainees, and other persons under the direct control of a covered entity or business associate, regardless of whether they are paid.
Under the current rule, "required" specifications must be implemented as written. "Addressable" specifications allow an alternative measure if documented as reasonable.
The principle that access to and disclosure of PHI should be limited to the minimum amount needed to accomplish the intended purpose.
HIPAA's reach extends well beyond hospitals and clinics. Organisations bound by the Security Rule include:
The Security Rule organises its requirements into three safeguard categories under 45 CFR §164.308–312. Endpoint management touches all three, but technical safeguards are where it does the most direct work.
Risk analysis, workforce training, sanction policies, and the assignment of security responsibility. These set policy; technical controls make the policy enforceable in practice.
Facility access controls, workstation use policies, and device and media controls covering the disposal, reuse, and movement of hardware that stores ePHI.
Access control, audit controls, integrity controls, person or entity authentication, and transmission security, the safeguards most directly enforced through endpoint management.
HHS OCR published a Notice of Proposed Rulemaking in January 2025 outlining the most significant overhaul of the Security Rule since 2013. As of mid-2026, this remains a proposed rule, not final law, and OCR continues to enforce the current Security Rule while the proposal works through the rulemaking process.
If finalised in anything close to its proposed form, the update would remove the "addressable" category entirely, making encryption, multi-factor authentication, network segmentation, and annual penetration testing mandatory rather than optional. It would also shorten the security incident response window to 72 hours and require covered entities to obtain annual written verification that business associates have implemented required safeguards, rather than relying on a signed agreement alone.
Healthcare IT teams that build asset inventories, encryption coverage, and access control discipline now will be in a far stronger position whenever, and if, the final rule lands, since every one of these proposed controls is already a security best practice under the current rule.
The following sections translate each technical safeguard under 45 CFR §164.312, along with the device and media controls under §164.310(d), into the specific Zecurit capabilities that support compliance.
Covered entities and business associates must implement technical policies and procedures that allow access to ePHI only to those persons or software programs that have been granted access rights, including unique user identification, emergency access procedures, and automatic logoff.
Configuration Management's User and Group Management lets IT teams create, modify, and disable local user accounts remotely, assign unique credentials per workforce member, and enforce password policies from a central console. Remote Access sessions require explicit session confirmation from the end user and are governed by role-based access controls, supporting the unique identification and access restriction this safeguard requires.
Organisations must implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Without this evidence, breach investigations and OCR audits cannot establish what happened or when.
The Monitoring and Alerts module logs security, hardware, software, and access events in real time across the endpoint fleet. User Logon Reports record access patterns, and Device Control logs every connection attempt and blocked event with a timestamp and user account, building the activity record auditors and investigators rely on.
Organisations must implement policies and procedures to protect ePHI from improper alteration or destruction, whether caused by malicious activity, user error, or system failure.
Security Alerts immediately flag when antivirus or antimalware protection is disabled on any endpoint, a primary vector for the unauthorised alteration of files. Hardware and software change alerts detect unexpected modifications to a device's configuration, and Configuration Management enforces consistent security baselines so endpoints cannot silently drift out of a compliant state.
Organisations must implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be, before access is granted.
User and Group Management enforces password policy at the endpoint level, ensuring every workforce member authenticates with their own verified credentials rather than shared local accounts. Remote Access sessions require the end user to explicitly confirm any incoming session before access is granted, adding a verification step beyond password authentication alone.
Organisations must implement technical security measures to guard against unauthorised access to ePHI being transmitted over an electronic communications network, including measures to prevent improper modification during transmission.
Device Control restricts how ePHI can leave a managed endpoint in the first place, blocking unauthorised removable storage, Bluetooth transfer, and wireless adapters that could otherwise move data outside approved channels. Configuration Management deploys firewall rules centrally, controlling which network paths are available to each endpoint.
Encryption of ePHI, both at rest and in transit, is currently an addressable specification, meaning organisations must implement it or document why an equivalent alternative measure is reasonable and appropriate. OCR breach investigations routinely treat unencrypted devices as a critical finding.
BitLocker Management enforces drive encryption across every managed Windows endpoint from a central console, supporting TPM-only, TPM+PIN, and passphrase authentication modes. Recovery keys are backed up automatically, and BitLocker Compliance Reports identify any unprotected devices, turning an addressable specification into a demonstrable, fleet-wide control.
This physical safeguard requires policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI into and out of a facility, as well as their movement within a facility, including disposal and reuse.
Hardware Inventory and geo-location tracking give IT teams continuous visibility into where managed devices physically are, supporting accountability as equipment moves between facilities, departments, and workforce members. Asset Discovery auto-onboards new devices the moment they connect, preventing unmanaged hardware from slipping outside policy.
This administrative safeguard requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, and OCR's own enforcement data identifies this as the most commonly missed or inadequately performed requirement.
Patch Management continuously scans every managed endpoint for missing patches, ranking them by CVSS score and exploit intelligence. Vulnerability Management maps installed software against known CVEs, giving compliance teams the concrete, evidence-backed vulnerability data a thorough risk analysis depends on.
When OCR opens an investigation, whether triggered by a complaint, a breach report, or a random audit, organisations must produce evidence of their safeguards quickly. Assembling that evidence manually under deadline pressure is when gaps and inconsistencies tend to surface.
Compliance and Reporting provides 100+ built-in report templates including pre-mapped templates for HIPAA, ISO 27001, PCI-DSS, GDPR, CIS, and NIST. Security Reports surface BitLocker gaps, firewall status, and antivirus health across all endpoints, and Scheduled Report Delivery emails these reports automatically, building a continuous compliance record rather than a one-time audit scramble.
A consolidated reference mapping each Security Rule safeguard to the relevant Zecurit features, useful for risk analysis documentation and OCR audit preparation.
| HIPAA Safeguard | Zecurit Endpoint Manager Capability |
|---|---|
| Access Control (§164.312(a)(1)) | User and Group ManagementRole-Based AccessSession Confirmation and Audit |
| Audit Controls (§164.312(b)) | Real-Time Monitoring and AlertsUser Logon ReportsAudit Device Logs |
| Integrity Controls (§164.312(c)(1)) | Security AlertsHardware/Software Change AlertsConfiguration Management |
| Person/Entity Authentication (§164.312(d)) | User and Group ManagementSession Confirmation and Audit |
| Transmission Security (§164.312(e)(1)) | Device ControlUSB/Removable Storage PoliciesFirewall Configuration |
| Encryption and Decryption (§164.312(a)(2)(iv)) | BitLocker ManagementTPM Policy ManagementBitLocker Compliance Reports |
| Device and Media Controls (§164.310(d)(1)) | Hardware InventoryGeo Location TrackingAsset Discovery |
| Risk Analysis (§164.308(a)(1)(ii)(A)) | Patch ManagementVulnerability ManagementCVSS Prioritisation |
| Audit-Ready Reporting | 100+ Compliance ReportsHIPAA Report TemplatesScheduled Report Delivery |
HIPAA's technical safeguards are not abstract legal language. They translate directly into endpoint-level controls: who can log in, whether the drive is encrypted, whether antivirus is running, and whether anyone can plug in a USB drive and walk out with patient records. OCR's enforcement history shows that breaches consistently trace back to gaps in exactly these controls.
With a proposed Security Rule update on the horizon that would make encryption, MFA, and continuous monitoring mandatory rather than addressable, building strong endpoint discipline now puts your organisation ahead of regulatory change rather than scrambling to catch up to it.
Zecurit Endpoint Manager addresses the Security Rule's core technical safeguards from a single lightweight agent and unified console, giving healthcare IT teams the encryption, access control, monitoring, and reporting capabilities OCR expects to see, without stitching together separate point tools.
Zecurit develops cloud-based IT management solutions designed for modern IT teams. The Zecurit platform helps organisations manage endpoints, track assets, enforce security policies, and securely support distributed workforces through centralised, easy-to-use tools.
To learn more about Zecurit Endpoint Manager and how it supports your HIPAA compliance programme, start a free 14-day trial or contact the Zecurit team.
Contact Zecurit