What Are Administrative Safeguards?
Administrative safeguards are the administrative actions, policies, and procedures used to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. They represent the largest category of Security Rule requirements — nine standards — and form the foundation upon which physical and technical safeguards are built.
1. Security Management Process
The security management process standard requires covered entities to implement policies and procedures to prevent, detect, contain, and correct security violations. It includes four required implementation specifications:
- Risk analysis (Required) — Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability.
- Risk management (Required) — Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Sanction policy (Required) — Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures.
- Information system activity review (Required) — Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
2. Assigned Security Responsibility
A single individual — the Security Official — must be designated as responsible for developing and implementing the required security policies and procedures. In small organizations, the Security Official and the Privacy Officer may be the same person. The designation must be documented.
3. Workforce Security
Covered entities must implement policies and procedures to ensure that all members of the workforce have appropriate access to ePHI and to prevent those who do not have access from obtaining it. Implementation specifications include authorization and supervision (addressable), workforce clearance procedures (addressable), and termination procedures (addressable) to revoke access when employment ends.
4. Information Access Management
This standard requires procedures for authorizing access to ePHI consistent with the minimum necessary standard. For covered entities that are part of a hybrid entity, this includes isolating healthcare clearinghouse functions (required). Access authorization procedures (addressable) and access establishment and modification procedures (addressable) govern how access rights are granted and changed.
5. Security Awareness and Training
All workforce members, including management, must receive security awareness training. Addressable specifications include security reminders, protection from malicious software, log-in monitoring, and password management. Training must be provided to new workforce members within a reasonable time and must address the specific risks and policies relevant to each role.
6. Security Incident Procedures
Covered entities must implement policies and procedures to address security incidents. The required specification is to identify and respond to suspected or known security incidents, mitigate harmful effects, and document security incidents and their outcomes. A security incident is an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
7. Contingency Plan
The contingency plan standard requires establishing policies and procedures for responding to an emergency or other occurrence that damages systems containing ePHI. Required specifications include a data backup plan and a disaster recovery plan. Addressable specifications include an emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis.
8. Evaluation
Covered entities must perform a periodic technical and nontechnical evaluation in response to environmental or operational changes that affect ePHI security. This evaluation reassesses the effectiveness of implemented safeguards and ensures they continue to meet the Security Rule's requirements as the organization evolves.
9. Business Associate Contracts and Other Arrangements
A covered entity may allow a business associate to create, receive, maintain, or transmit ePHI only if it obtains satisfactory assurances — through a BAA — that the business associate will appropriately safeguard the information. This is a required implementation specification and is the administrative safeguard foundation for the BAA requirement.