Guide to HIPAA administrative safeguards

Required standards

Covered Entities must apply these standards to the level demanded by HIPAA rules. Policies and procedures must follow every aspect of the required safeguards. There is little scope for flexibility.

Addressable standards

Covered Entities must consider addressable standards. But, organizations have much more freedom about how or whether they put in place policies. Security teams can decide to opt out of addressable standards. Organizations choosing this route must document why they have taken this decision

What is the purpose of HIPAA administrative safeguards?

Administration measures form a large proportion of the HIPAA Security Rule. This is because policies protect electronic Protected Health Information. Policies apply physical and technical safeguards required by the Security Rule. And they ensure there are no compliance gaps that could cause security incidents.

Policies also document security measures and procedures required by the HIPAA Security Rule. Policies show that organizations understand their regulatory role. They show that the organization's security posture meets HIPAA standards.

HIPAA administrative safeguards guide healthcare bodies at an operational level. They provide a structure of policies and procedures for employees and Business Associates. This structure acts as a foundation to build robust controls.

Administrative measures also build a culture of compliance. They enhance security awareness and reduce the risk of accidental PHI exposure.

Employees can refer to policies and procedures when handling ePHI. Comprehensive HIPAA policies form the basis for compliance training. They also document the penalties for employees who breach HIPAA rules.

HIPAA administrative safeguards standards

Under HIPAA rules, it is not enough to install technical safeguards. Covered Entities must document the controls they use. Policies and procedures achieve this aim. They act as a framework to protect ePHI.

HIPAA regulations specify nine core administrative safeguards. These safeguards include a degree of flexibility. Regulators do not expect every Covered Entity to apply the same approach. However, healthcare organizations must include every safeguard in their policies and procedures.

Security management process

The security management process deals with risk analysis and auditing. Compliant organizations must put in place policies to detect and handle security violations. Relevant addressable areas in this category include:

• Risk analysis
• Risk management
• Violation penalties
• Information system auditing

Assigned security responsibility

This set of implementation specifications deals with organization and accountability. Covered Entities must identify an individual with HIPAA security responsibility.

The assigned security professional develops security policies and procedures. They should:

• Encourage security awareness throughout the organization
• Ensure risk analysis is part of everyday security planning
• Put in place processes documented in HIPAA security policies
• Report to security managers about policy flaws or security gaps.
  
  

Organizations without an assigned security officer are in breach of the Security Rule. Allocating an individual with the required skills is crucial.

Workforce security

Workforce security deals with privileges management. These implementation specifications provide individuals with appropriate access to ePHI. They also deny access to individuals without a legitimate professional need.

Implementation standards to concentrate on in this area include:

• Assigning appropriate access privileges
• Managing employee clearance when staff need short-term access to ePHI
• Offboarding employees and removing privileges

Information access management

This set of implementation standards handles how organizations manage access to ePHI. This is not the same as workforce security. Information access involves segmenting networks and creating secure zones for ePHI.

The only required information access management issue involves healthcare clearinghouses. Policies must isolate healthcare clearinghouse functions to protect ePHI during data processing.

Authorizing access is also an addressable specification. And the same applies to establishing and modifying access settings. Covered Entities can install access controls that suit their business needs. But, security measures must meet the requirements for workforce access.

Security awareness and training

According to this implementation standard, all employees must undergo HIPAA compliance training. Addressable areas to focus on when building security awareness and training include:

• Providing security reminders, including the definition of Protected Health Information
• Avoiding malware and phishing attacks
• Monitoring log-ins
• Use of physical safeguards to protect PHI
• Secure password management

Security incident processes

Covered Entities should have processes and policies to address security incidents. This implementation standard applies the Breach Notification Rule. Healthcare organizations must have security incident procedures that:

• Report incidents according to HIPAA rules
• Launch incident response processes

Contingency planning

This implementation standard protects ePHI during security incidents or natural disasters. Covered Entities must create a contingency plan that applies when incidents occur. Required contingency plan components include:

• Scheduling secure data back-ups
• Creating and testing disaster recovery plans
• Emergency mode operation plans
  
  

Security incident procedures also include addressable policy areas that may be relevant. Addressable safeguards include:

• Revision and testing processes
• Application analysis
• Data integrity analysis

Evaluation

Covered Entities must assess how they protect ePHI. Testing and revision procedures should:

• Identify areas of concern and document any policy changes
• Respond to changes in the external environment that may compromise ePHI
• Take into account new HIPAA security regulations or security vulnerabilities
• Recommend technical safeguards to remedy those weaknesses.
  
  

Under the Security Rule, organizations must put in place evaluation policies. These policies should assess how the organization secures patient data. But Covered Entities can choose their evaluation strategy.

Some situations may need extensive data criticality analysis. Other organizations may focus on access management or tracking physical safeguards.

Business Associate contracts and other arrangements

This implementation standard covers Business Associates that receive, process, manage, or send ePHI. Covered Entities must sign security contracts with associates.

Business Associate contracts should demand that associates meet HIPAA security standards. Risk management officers should also assess associates to identify their security standards.

Who handles administrative safeguards in HIPAA?

Organizations that process, store, receive, or send ePHI must use administrative safeguards. This includes Covered Entities and Business Associates under the HIPAA Security Rule.

Policy officers manage policies and procedures within organizations. This individual should write and maintain policies. They are responsible for carrying out risk assessments. They encourage security awareness and manage training. Policy officers also track staff compliance. They ensure that penalties apply when employees violate HIPAA security safeguards.

On the regulatory side, the Department of Health and Human Services (HHS) maintains HIPAA rules. The Office for Civil Rights (OCR) investigates potential violations. The OCR may levy fines if administrative safeguards do not follow the HIPAA Security Rule. However, regulators generally provide compliance advice instead of applying financial penalties.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.