The final category Security defines the standards for safeguarding Protected Health Information (PHI) in electronic format, known as ePHI. The Privacy rule sets the standards for how PHI should be used and the Security Rule sets the standards for what needs to be done to ensure the overall confidentiality of electronic individual health records. The Security Rule states "what is required and must be addressed," not how to do it. This rule consists of three main safeguard areas. Examples of each safeguard include:

• Administrative Safeguards - having system security procedures that allow access to ePHI to those who need it; measures to prevent access to those who do not need it; having a security training program for all the members of our workforce.
• Physical Safeguards - making sure our facilities and/or workstations where ePHI is processed are sufficiently protected.
• Technical Safeguards - having unique individual system identifiers; recording or auditing activity of systems that contain ePHI.

The requirements highlighted above are intended to ensure that covered health institutions establish procedures and mechanisms to ensure confidentiality, integrity, and availability of individual health information in electronic form.