The HIPAA Security Rule (45 CFR 164.302-318) requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). Penalties for willful neglect can reach $1.5M per violation category per year. The accompanying Breach Notification Rule mandates notification of HHS, affected individuals, and (for large breaches) media.