Both rules require covered entities to take appropriate and reasonable measures to safeguard protected health information (PHI). More specifically , both require a covered entity (CE) to assess and define its own needs, select and implement protections appropriate for its own environment, and use a risk assessment process that strikes a balance between risk and remediation cost.