Getty Images/iStockphoto

Common HIPAA Administrative Safeguards Under The HIPAA Security Rule

HIPAA administrative safeguards are crucial measures that all covered entities must consider under the HIPAA Security Rule.

Under the HIPAA Security Rule, covered entities must implement physical, technical, and administrative safeguards to safeguard electronic protected health information (ePHI). These safeguards help covered entities mitigate risk and ensure that sensitive health data remains secure and out of the reach of unauthorized individuals.

The HIPAA Security Rule is purposefully flexible and scalable to account for varying organization sizes and security needs. As is the case with HIPAA physical safeguards and technical safeguards, healthcare organizations will need to review their own policies, daily workflows, and existing security programs to determine what works best for them.

What Are HIPAA administrative safeguards?

“Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information,” HIPAA states.

Essentially, covered entities must implement policies and procedures that help guide employees in the proper care and use of ePHI. According to the CMS HIPAA Security Series, administrative safeguards account for more than half of HIPAA’s security requirements.  

HIPAA administrative safeguards are broken down into several standards:

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness and training
  • Security incident procedures
  • Contingency plan
  • Evaluation
  • Business associate contracts and other arrangements

Compliance with HIPAA administrative safeguard requirements depends on the covered entities’ size, capabilities, technical infrastructure, and the probability of potential ePHI exposure.

Each section comes with its own subset of implementation specifications. Some specifications are described as “required” while others are just “addressable.”.

"The 'required' implementation specifications must be implemented. The 'addressable' designation does not mean that an implementation specification is optional," HHS states.

"However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate."

Below, HealthITSecurity will provide a brief overview of each standard under the HIPAA Security Rule and its implementation specifications, based on guidance from HIPAA's text, HHS, and CMS.

Security management process

This standard establishes the basic policies and procedures that a covered entity must put in place to properly guide its employees in HIPAA administrative safeguard compliance.

There are four required implementation specifications under this standard: risk analysis, risk management, sanction policy, and information system activity review.

Under the security management process standard, HIPAA-covered entities also need to consider their risk management and risk analysis procedures and review their security measures to ensure they have a strong strategy to protect the confidentiality, integrity, and availability of ePHI.

Assigned security responsibility

This standard requires that covered entities “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

For example, healthcare organizations should decide if it would be beneficial for one person to be designated as the Privacy Officer and Security Officer, or if that should be two separate roles. Moreover, those roles should properly reflect the size, complexity, and technical capabilities of the organization.

There are no implementation specifications for the assigned security responsibility standard.

Workforce security

The workforce security standard requires covered entities to implement policies and procedures that ensure that employees have appropriate access to ePHI. This standard has three addressable implementation specifications: authorization and/or supervision, workforce clearance procedures, and termination procedures.

This standard emphasizes that only employees who work directly with ePHI to perform their job functions should have access to it. 

The workforce security standard also takes termination procedures into account. For example, after an employee who had access to ePHI is terminated, the covered entity should ensure that they can no longer access that information. This could be done by deactivating an employee password or access code.

Information access management

Similarly, the information access standard requires covered entities to restrict access to only individuals and entities with a need for access. This is a basic tenet of security.

The standard’s only required implementation specification is “isolating healthcare clearinghouse functions,” which requires healthcare clearinghouses that are part of a larger organization to implement ePHI protection procedures and policies.

The two other implementation specifications are addressable: access authorization and access establishment and modification.

“Compliance with this standard should support a covered entity’s compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information,” according to CMS.

Security awareness and training

Security awareness and training are crucial to maintaining enterprise-wide security. There are four addressable implementation specifications under this standard: security reminders, protection from malicious software, log-in monitoring, and password management.

For example, proper password policies, anti-phishing training, and basic cyber hygiene lessons can fulfill the security awareness and training administrative safeguard standard.

Security incident procedures

This standard requires covered entities to implement necessary policies and procedures to address security incidents. The only required implementation specification under the security incident procedures standard is response and reporting.

The specification requires that covered entities “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.”

Contingency plan

The contingency plan standard comes into play when covered entities face natural disasters, fires, or system failures that damage systems with ePHI.

The three required implementation specifications are as follows: data backup plan, disaster recovery plan, and emergency mode operation plan. In addition, testing and revision procedures and applications and data criticality analysis are two addressable specifications.

Covered entities should establish strategies for recovering access to ePHI in the event of a natural or human-made disaster.

For example, organizations should know what type of backup material is needed, i.e., recovery discs or off-site or cloud-based backup storage.

Evaluation

The evaluation standard has no implementation specifications and simply requires covered entities to implement ongoing monitoring and evaluation plans.

These should be periodically reviewed so organizations can adjust to any environmental or operational changes that affect ePHI security.

Business associate contracts and other arrangements

The final standard is similar to the business associate agreement aspect of the HIPAA Privacy Rule, but is specific to business associates that create, receive, maintain or transmit ePHI.

The one required implementation specification mandates that organizations maintain a written contract or arrangement that meets the applicable requirements of HIPAA.

Implementing HIPAA Administrative Safeguards

Administrative safeguards make up a significant portion of the HIPAA Security Rule and require covered entities to prepare for unexpected natural disasters and security incidents, all while protecting ePHI and maintaining business continuity.

Healthcare organizations should work with key stakeholders to craft and practice a comprehensive cyber incident response plan. In addition, covered entities should prioritize employee education and security awareness training to prevent phishing attacks and other common types of social engineering.

In addition to administrative safeguards, organizations can bolster their security postures by implementing common physical and technical safeguards, such as facility access and control measures and authentication controls, as required by HIPAA.

Next Steps

Dig Deeper on HIPAA compliance and regulation