Administrative Safeguards of the Security Rule: What Are They?

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

The HIPAA Security Rule requires healthcare providers and their business associates to implement physical, technical, and administrative safeguards to protect the electronic Protected Health Information (PHI) that they utilize. It establishes national standards to protect that information. These standards apply not just to covered entities, but any organization that handles PHI – including subcontractors and business associates.

Administrative safeguards (also called “administrative security”) are procedures, or policies, that ensure compliance with HIPAA’s administrative simplification rules. They compromise over half of the requirements of the HIPAA Security Rule and refer to organizational security measures. These security measures are extensions of the security management process within a business.

These standards are for all covered entities, including small businesses with few resources and large medical facilities that use numerous outside service providers. Administrative safeguards differ from the security practices required by the security rule; they provide a security framework that all personnel can easily understand and use to meet security goals.

Administrative safeguards are broken down into two classifications: addressable or required.

Security Management Process – Required standards that implement policies and procedures to prevent, detect, contain, and correct security violations.

Assigned Security Responsibility – This required standard that a business must identify who will be responsible for ensuring that the covered entity will comply with the Security Rule. One person can be both the Security and Privacy Officers.

Workforce Security – Addressable standards which identify if all members of a workforce have appropriate access to ePHI and prevent those who shouldn’t have access from acquiring it.

Information Access Management – A required standard that ensures that PHI is only accessible by the parties which require access in the case of a health care clearinghouse. Addressable aspects are access authorization, establishment, and modification.

Security Awareness and Training – Addressable standards but very important. If a covered entity doesn’t train its workforce, the safeguards are useless. This includes security reminders, protection from malicious software, log-in monitoring, and password management.

Security Incident Procedures – A required standard that identifies how a workforce should respond in the case of a security incident.

Contingency Plan – A combination of both required and addressable standards which outline how the covered entity will recover access because of a security incident. This includes data backup, disaster recovery, and emergency mode plans that are required. Testing and revision procedures along with applications and data criticality analysis are addressable.

Evaluation – It is required to implement ongoing monitoring and evaluation plans.

Business Associate Contracts and Other Arrangements are required to meet the application organizational requirements. This agreement confirms that both parties will be HIPAA compliant in their usage of any PHI.

The security rule requires covered entities to update their security management process every year and to review it at least once every three years. It is particularly important for small health care providers or organizations that lack dedicated IT departments to establish effective administrative safeguards.

This article was originally published on HIPAA Secure Now! and is republished here with permission.