45 C.F.R. § 164.306

Security standards: General rules

Read at: eCFRecfr.gov CornellLII GovInfogovinfo.gov CasesGoogle Scholar

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

(b) Flexibility of approach. (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

(c) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in §§ 164.308, 164.310, 164.312, 164.314 and 164.316 with respect to all electronic protected health information.

(d) Implementation specifications. In this subpart:

(1) Implementation specifications are required or addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.

(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.

(3) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity or business associate must—

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate—

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate—

$(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

$(2) Implement an equivalent alternative measure if reasonable and appropriate.

(e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with § 164.316(b)(2)(iii).

[68 FR 8376, Feb. 20, 2003; 68 FR 17153, Apr. 8, 2003; 78 FR 5693, Jan. 25, 2013]
Notes of Decisions
Cited in 21 cases (15 in the last 5 years), 2010–2026 · leading case: Weinberg v. Advanced Data Processing, Inc.
Weinberg v. Advanced Data Processing, Inc. (2015) flsd · cites it 4× “Intermedix’s alleged security failures include, but are not limited to, the following: Failing to ensure the confidentiality and integrity of electronic protected health information created, received, maintained, and transmitted in violation of 45 C.F.R. § 164.306 (a)(1);…”
Paul v. Providence Health System-Oregon (2010) orctapp · cites it 3× “They also cite 45 CFR § 164.306 , authorized under the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA).”
Aldrich v. Rural Health Services Consortium, Inc. (2014) ca6 “” 45 C.F.R. 164.306(a). Aldrich’s use of emails containing confidential patient information was patently unreasonable.”
Howard Center v. AFSCME Local 1674 & Daniel Peyser (2023) vt · cites it 2× “” 45 C.F.R. § 164.306 (a)(1), (4) (2022). Employer is also required to implement a sanction policy and “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”
Deisy Granados v. Pan American Life Insurance Co. (2026) njsuperctappdiv · cites it 3× “She alleged 45 C.F.R. § 164.306 requires them to "[p]rotect against any reasonably anticipated threats or hazards to the security or integrity of [confidential] information," guard "against any reasonably anticipated uses or disclosures of such information that are not…”
University of Virginia Medical Center v. Susan Jordan (2016) vactapp · cites it 2× “The Medical Center also relies on 45 C.F.R. § 164.306 : Security standards: General rules.”
Attias v. Carefirst, Inc. (2023) dcd · cites it 2× “” 45 C.F.R. §§ 164.306 (a)(1)–(2). Whether CareFirst has breached that implied duty, however, is a closer question, to which the Court now turns.”
PERMENTER v. ECLINICAL WORKS LLC (2022) gamd · cites it 2× “¶ 111 (citing 45 C.F.R. § 164.306 (a)(1)-(2)). D. Procedural Summary Relators filed this FCA action on October 16, 2018.”
Planned Parenthood Great Northwest, Hawaii, Alaska, Indiana and Kentucky, Inc. v. Cameron (2022) kywd · cites it 2× “(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.”
Wallace v. Nuvance Health (2021) nysd · cites it 2× “, 45 C.F.R. § 164.306 . For example, plaintiffs claim defendant was required to protect against reasonably anticipated threats or hazards to the security or integrity of electronic private health information, ensure the confidentiality and integrity of electronic protected…”
Owen-Brooks v. DISH Network Corporation (2024) cod · cites it 2× “” CAC ¶ 120(c) (citing 45 C.F.R. § 164.306 (a)(1); id. ¶ 120 (j) (citing 45 C.”
Angela Renee Ware v. Bronson Methodist Hospital (2014) michctapp · cites it 2× “45 CFR § 164.306 . 2 This Court’s internal docketing and case management system locks certain users out of data available to other users.”
— 45 C.F.R. § 164.306(a) — 1 case
Aldrich v. Rural Health Services Consortium, Inc. (2014) ca6 “” 45 C.F.R. 164.306(a). Aldrich’s use of emails containing confidential patient information was patently unreasonable.”
Annotations are extracted automatically from the opinions in the Syfert caselaw corpus and ranked by authority, recency, and treatment. Dots show Syfertize treatment of the citing case itself.