HIPAA Security Rule Administrative Safeguards
Today I am breaking down the Administrative Safeguards of the HIPAA Security Rule, 45 CFR § 164.308, into byte-size portions to help you understand how they are significant to your organization. The HIPAA Security Rule establishes security standards for protecting all electronic protected health information (ePHI).
The Administrative Safeguards comprise over half of the HIPAA Security Rule require healthcare regulated entities to implement measures to meet the security standards. These include things such as, assignment or delegation of security responsibility to an individual and security training requirements.
Administrative Safeguards Definition
Actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the CE’s or BA’s workforce in relation to the protection of that information.”
As with all the standards in the HIPAA Security Rule, compliance with the Administrative Safeguards requires CEs and BAs perform an evaluation of the security controls already in place, an accurate and comprehensive risk analysis, and a series of documented risk management solutions derived from a number of factors unique to each CE and BA.
What are the Administrative Safeguards?
An important step in protecting electronic PHI in your organization is to implement reasonable and appropriate Administrative Safeguards intended to set the foundation for your security program.
- Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations.
- Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information.
- A central requirement is that you perform a security risk analysis which identifies and analyzes risks to ePHI and then implement security measures to reduce those identified risks.
The Administrative Safeguards and their implementation specifications are:
Note: (R) = Required (A) = Addressable
Security Management Process
Assigned Security Responsibility
Information Access Management
Information Access Management – 45 CFR § 164.308(a)(4)
• Isolating Healthcare Clearinghouse Functions (R)
• Access Authorization (A)
• Access Establishment and Modification (A)
Security Awareness and Training
Security Incident Procedure
Contingency Plan – 45 CFR § 164.308(a)(7)
• Data Backup Plan (R)
• Disaster Recovery Plan (R)
• Emergency Mode Operation Plan (R)
• Testing and Revision Procedures (A)
• Applications and Data Criticality Analysis (A)
Evaluation – 45 CFR § 164.308(a)(8)
Business Associate Contracts and Other Arrangements
Vulnerabilities and Security Mitigation Examples
The following table contains a list of possible Security Components, Examples of Vulnerabilities and Examples of Security Mitigation Strategies for the Administrative Safeguards.
In general, these are the administrative functions that should be implemented to meet the security standards. These include security management processes, assignment or delegation of security responsibility to an individual, and workforce security training requirements.
All of the standards and implementation specifications found in the Administrative Safeguards section refer to administrative functions, such as policy and procedures that must be in place for the management and execution of security measures. These include performance of your security management processes, assignment or delegation of security responsibilities, training requirements and evaluation and documentation of all decisions.
Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as technologies change.
Healthcare organization and third-party vendors should understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.