Breaking Down the HIPAA Administrative Safeguards

HIPAA Security Rule Administrative Safeguards

HIPAA Security Rule Administrative Safeguards

Today I am breaking down the Administrative Safeguards of the HIPAA Security Rule, 45 CFR § 164.308, into byte-size portions to help you understand how they are significant to your organization. The HIPAA Security Rule establishes security standards for protecting all electronic protected health information (ePHI). 

The Administrative Safeguards comprise over half of the HIPAA Security Rule require healthcare regulated entities to implement measures to meet the security standards. These include things such as, assignment or delegation of security responsibility to an individual and security training requirements.

Administrative Safeguards Definition

Actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE’s or BA’s workforce in relation to the protection of that information.”

As with all the standards in the HIPAA Security Rule, compliance with the Administrative Safeguards requires CEs and BAs perform an evaluation of the security controls already in place, an accurate and comprehensive risk analysis, and a series of documented risk management solutions derived from a number of factors unique to each CE and BA.

What are the Administrative Safeguards?

An important step in protecting electronic PHI in your organization is to implement reasonable and appropriate Administrative Safeguards intended to set the foundation for your security program.

  1. Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.
  2. Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.
  3. A central requirement is that you perform a security risk analysis which identifies and analyzes risks to ePHI and then implement security measures to reduce those identified risks.

The Administrative Safeguards and their implementation specifications are:
Note: (R) = Required      (A) = Addressable

Security Management Process

Security Management Process – 45 CFR § 164.308(a)(1)

• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information System Activity Review (R)

Assigned Security Responsibility

Assigned Security Responsibility – 45 CFR § 164.308(a)(2)

Workforce Security

Workforce Security – 45 CFR § 164.308(a)(3)

• Authorization and/or Supervision (A)
• Workforce Clearance Procedure (A)
• Termination Procedures (A)

Information Access Management

Information Access Management – 45 CFR § 164.308(a)(4)

• Isolating Healthcare Clearinghouse Functions (R)
• Access Authorization (A)
• Access Establishment and Modification (A)

Security Awareness and Training

Security Awareness and Training – 45 CFR § 164.308(a)(5)

• Security Reminders (A)
• Protection from Malicious Software (A)
• Log-in Monitoring (A)
• Password Management (A)

Security Incident Procedure

Security Incident Procedures – 45 CFR § 164.308(a)(6)

• Response and Reporting (R)

Contingency Plan

Contingency Plan – 45 CFR § 164.308(a)(7)

• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)

Evaluation

Evaluation – 45 CFR § 164.308(a)(8)

Business Associate Contracts and Other Arrangements

Business Associate Contracts and Other Arrangements – 45 CFR § 164.308(b)(1)

• Written Contract or Other Arrangement (R)

Vulnerabilities and Security Mitigation Examples

The following table contains a list of possible Security Components, Examples of Vulnerabilities and Examples of Security Mitigation Strategies for the Administrative Safeguards.

Administrative Safeguards

In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibility to an individual, and workforce security training requirements.

All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for the management and execution of security measures. These include performance of your security management processes, assignment or delegation of security responsibilities, training requirements and evaluation and documentation of all decisions.

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as technologies change.

Healthcare organization and third-party vendors should understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.