|
administrative
safeguards, security (HIPAA)
HIPAA's Security
Rule divides its protections into three "safeguard"
categories: administrative (discussed here), physical
and technical.
Each safeguard category includes various standards
and implementation specifications.
The Rule defines
administrative safeguards as "administrative actions,
and policies and procedures, to manage the selection, development,
implementation, and maintenance of security measures to protect
electronic protected
health information (PHI) and to manage the conduct of
the covered entity's workforce
in relation to the protection of that information."
The administrative
safeguards standards and specifications are presented in the
matrix below. (For more information on a particular standard,
follow the link in the left column.)
Formal policies
and procedures are required for compliance with the Security
Rule. Comprehensive documentation of security measures is
also required. Documentation must be kept current, and a historical
record maintained as well. Those two standards have been added
to this matrix for completeness, but they apply to all safeguard
areas.
| Standard(s) |
CFR
section |
Implementation
Specification
(r)=required; (a)=addressable |
| security
management process |
164.308(a)(1) |
risk analysis
(r) |
| risk management
(r) |
| sanction policy
(r) |
| information
system activity review (r) |
| assigned
security responsibility |
164.308(a)(2) |
(r) |
| workforce
security |
164.308(a)(3) |
authorization
and/or supervision (a) |
| workforce
clearance procedure (a) |
| termination
procedures (a) |
| information
access management |
164.308(a)(4) |
isolating
health care clearinghouse function (r) |
| access authorization
(a) |
| access establishment
and modification (a) |
| security
awareness and training |
164.308(a)(5) |
security reminders
(a) |
| protection
from malicious software (a) |
| log-in monitoring
(a) |
| password management
(a) |
| security
incident procedures |
164.308(a)(6) |
response and
reporting (r) |
| contingency
plan |
164.308.(a)(7) |
data backup
plan (r) |
| disaster recovery
plan (r) |
| emergency
mode operation plan (r) |
| testing and
revision procedure (a) |
| applications
and data criticality analysis (a) |
| evaluation |
164.308(a)(8) |
(r) |
| business
associate contracts and other arrangements |
164.308(b)(1) |
written contract
or other arrangement (r) |
| policies
and procedures |
164.316(a) |
(r) |
| documentation |
164.316(b)(1) |
(r) |
Source: Appendix
A to Subpart C of Part 164
See also:
|
