Under the Security Rule, covered entities (CEs) and business associates (BAs) must develop effective administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI - including patient portal ePHI. Patient portal apps and software must be secure, or be rendered secure..