Everything You Need to Know About HIPAA Administrative Safeguards

Posted by Ken Reiher

What are HIPAA administrative safeguards?

HIPAA administrative safeguards are actions, policies, and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI. These safeguards guide the conduct of a covered entity’s staff concerning ePHI.

Administrative safeguards of HIPAA’s security rule consist of two segments:

  • Standards– High-level objectives defined under the safeguard.
  • Implementation Specifications– Actionable objectives needed to meet the standard requirements. Implementation specifications can be broken into two subcategories: required and addressable.

Below are the nine HIPAA administrative safeguard standards and the required or addressable implementation specifications to support them.

1. Security Management Process

This standard enacts policies and procedures to prevent, detect, contain and correct security violations.

Required implementation specifications for this standard:

  • Risk analysis
  • Risk management
  • Sanction policy
  • Information system activity review

2. Assigned Security Responsibility

Assigned security management identifies the security official responsible for developing and executing the policies and procedures required by this subpart for the covered entity or business associate.

3. Workforce Security

Workforce security fulfills policies and procedures to ensure that all staff have appropriate access to ePHI as well as prevent staff who do not have access to ePHIs from obtaining access.

Addressable implementation specifications:

  • Authorization and/or supervision
  • Workforce clearance procedure
  • Termination procedures

4. Information Access Management

This standard fulfills policies and procedures for authorizing access to ePHI.

Implementation specifications:

  • Isolating health care clearinghouse functions (Required)
  • Access authorization (Addressable)
  • Access establishment and modification (Addressable)

5. Security Awareness and Training

This standard is a security awareness and training program with required attendance from all staff and management.

Addressable implementation specifications:

  • Security reminders
  • Protection from malicious software
  • Log-in monitoring
  • Password management

6. Security Incident Procedures

This standard carries out policies and procedures to address security incidents.

Required implementation specifications:

  • Response and Reporting

7. Contingency Plan

A contingency plan institutes and discharges (if needed) policies and procedures for responding to an emergency or event that damages ePHI.

Implementation specifications:

  • Data backup plan (Required)
  • Disaster recovery plan (Required)
  • Emergency mode operation plan (Required)
  • Testing and revision procedures (Addressable)
  • Applications and data criticality analysis (Addressable)

8. Evaluation

The evaluation standard dispatches recurring technical and nontechnical evaluations based on initial standards implemented under this rule. Subsequent evaluations will be in response to the environment or operational changes impacting the security of ePHI.

9. Business Associate Contracts and Other Arrangements

A covered entity may permit a business associate to create, receive, maintain, or submit ePHI on the covered entity’s behalf on the contingency that the covered entity has obtained satisfactory assurances that the business associate will appropriately safeguard the ePHI.

Required implementation specifications:

  • Written contract or other arrangement

ComplyAssistant’s HIPAA Risk Assessment

ComplyAssistant’s HIPAA compliance consultants provide a risk assessment of all standards and implantation specifications under the HIPAA Security regulation, which directly supports the risk analysis and risk management requirements. To learn more, contact us today for a complimentary evaluation.

Featured