HIPAA Organizational Requirements

In this week’s “Know The Rules!,” I am diving a little deeper into the Organizational Requirements, part of the Administrative, Physical, and Technical Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) security standards, 45 CFR § 164.314.

As with all the standards in the HIPAA Security Rule, compliance with the Organizational Requirements standards requires Covered Entities (CEs), and under certain circumstances Business Associates (BAs), to have signed Business Associates Agreement (BAA) contracts or other arrangements before granting access to electronic protected health information (ePHI). The standards provide the specific criteria required for written contracts or other arrangements.

The Organizational Requirements include:
Note: (R) = Required      (A) = Addressable

  1. Business Associates Contracts & Other Arrangements – 45 CFR 164.314(a)(1)
    • Business Associate Contracts – (R)
    • Other Arrangements – (R)
  2. Requirements for Group Health Plans – 45 CFR 164.314(b)(1)
    • Implementation Specifications – (R)

The following table contains a list of possible Security Areas to Consider, Examples of Potential Security Measures.

Organizational Requirements

Table 1: Security Areas and Security Mitigation Strategies

The following table contains a list of possible Security Components, Examples of Vulnerabilities and Examples of Security Mitigation Strategies for the Organizational Safeguards.

Organizational Requirements

Table 2: Security Component, Vulnerability Examples and Security Mitigation Strategies

The Organizational Requirements section of the Security Rule, among other things, provides requirements for the content of BA contracts or other arrangements and the plan documents of group health plans.

Together with reasonable and appropriate Administrative, Physical and Technical Safeguards, successful implementation of the Organizational Safeguards standards will help ensure that a CE or BA will protect the confidentiality, integrity and availability of ePHI.

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Organizational Requirements


For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.