HIPAAKTR

Episode 38: Know The Rules! Diving into HIPAA Administrative Safeguards


In this week’s “Know The Rules!”, I am diving a little deeper into the Administrative Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards: Administrative Safeguards, 45 CFR § 164.308.

The HIPAA Administrative Safeguards comprises over half of the HIPAA Security Rule. It establishes a national set of minimum security standards for protecting all electronic protected health information (ePHI) that Covered Entities (CEs) and Business Associates (BAs) create, receive, maintain, or transmit.

The HIPAA Security Rule defines Administrative Safeguards as:

“Actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE’s or BA’s workforce in relation to the protection of that information.”

As with all the standards in the HIPAA Security Rule, compliance with the Administrative Safeguards requires CEs and BAs perform an evaluation of the security controls already in place, an accurate and comprehensive risk analysis, and a series of documented risk management solutions derived from a number of factors unique to each CE and BA.

  1. Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.
  2. Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.
  3. A central requirement is that you perform a security risk analysis which identifies and analyzes risks to ePHI and then implement security measures to reduce those identified risks.

The Administrative Safeguards and their implementation specifications are:
Note: (R) = Required      (A) = Addressable

1. Security Management Process – 45 CFR § 164.308(a)(1)

Risk Analysis (R)
Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)

2. Assigned Security Responsibility – 45 CFR § 164.308(a)(2)

3. Workforce Security – 45 CFR § 164.308(a)(3)

• Authorization and/or Supervision (A)
• Workforce Clearance Procedure (A)
Termination Procedures (A)

4. Information Access Management – 45 CFR § 164.308(a)(4)

• Isolating Healthcare Clearinghouse Functions (R)
• Access Authorization (A)
• Access Establishment and Modification (A)

5. Security Awareness and Training – 45 CFR § 164.308(a)(5)

• Security Reminders (A)
• Protection from Malicious Software (A)
• Log-in Monitoring (A)
Password Management (A)

6. Security Incident Procedures – 45 CFR § 164.308(a)(6)

• Response and Reporting (R)

7. Contingency Plan – 45 CFR § 164.308(a)(7)

• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)

8. Evaluation – 45 CFR § 164.308(a)(8)

9. Business Associate Contracts and Other Arrangements – 45 CFR § 164.308(b)(1)

• Written Contract or Other Arrangement (R)

The following table contains a list of possible Security Components, Examples of Vulnerabilities and Examples of Security Mitigation Strategies for the Administrative Safeguards.

 

HIPAAKTR

 

In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibility to an individual, and workforce security training requirements.

All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for the management and execution of security measures. These include performance of your security management processes, assignment or delegation of security responsibilities, training requirements and evaluation and documentation of all decisions.

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Administrative Safeguards

 

For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

 

5 thoughts on “Episode 38: Know The Rules! Diving into HIPAA Administrative Safeguards

  1. […] Administrative Safeguards from the HIPAA Security Rule specifies implement a Security Awareness and Training for Business […]

  2. […] The Rules!,” I am diving a little deeper into the Organizational Requirements, part of the Administrative, Physical, and Technical Safeguards of the Health Insurance Portability and Accountability Act […]

  3. […] “Know The Rules!,” I am diving a little deeper into the Policies and Procedures, part of the Administrative, Physical, Technical, and Organizational Safeguards of the Health Insurance Portability and […]

  4. […] this week’s “Know The Rules!,” I am diving into the third standard of the Administrative Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) Security Standards: […]