# Security Rule Safeguards
This module covers the HIPAA Security Rule's required safeguards for protecting ePHI.
## Administrative safeguards (§ 164.308)
- **Risk analysis**: Annual risk assessment identifying threats to ePHI
- **Security Officer**: Designated person responsible for policies and procedures
- **Workforce training**: This training program satisfies §164.308(a)(5)
- **Access management**: Role-based access; review access quarterly
- **Contingency planning**: Backup, disaster recovery, and emergency access procedures
## Physical safeguards (§ 164.310)
- **Facility access**: Server rooms locked; visitor procedures in place
- **Workstation use**: PHI workstations in non-public areas; screen locks enforced
- **Device and media controls**: No PHI on unencrypted removable media; devices wiped before disposal
## Technical safeguards (§ 164.312)
- **Access control**: Unique user IDs; automatic session timeout; encryption keys managed per policy
- **Audit controls**: All access to ePHI systems is logged; logs retained 6 years
- **Integrity**: Mechanisms to detect unauthorized ePHI alteration
- **Transmission security**: TLS 1.3 for all ePHI in transit; no unencrypted transmission
## Workstation configuration requirements
All workstations used for work must have:
- ☑ Full-disk encryption (FileVault / BitLocker / LUKS)
- ☑ Auto-lock ≤ 5 minutes inactivity
- ☑ Company-approved password manager (1Password)
- ☑ MFA on all work accounts
- ☑ Automatic OS security updates enabled
## Audit logging
All access to PHI-bearing systems generates an audit log entry automatically. Do not attempt to access or modify audit logs.
## Attestation
Completing this module confirms you understand and will apply Security Rule safeguard requirements.