administrative safeguards, security (HIPAA)

HIPAA's Security Rule divides its protections into three "safeguard" categories: administrative (discussed here), physical and technical. Each safeguard category includes various standards and implementation specifications.

The Rule defines administrative safeguards as "administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (PHI) and to manage the conduct of the covered entity's workforce in relation to the protection of that information."

The administrative safeguards standards and specifications are presented in the matrix below. (For more information on a particular standard, follow the link in the left column.)

Formal policies and procedures are required for compliance with the Security Rule. Comprehensive documentation of security measures is also required. Documentation must be kept current, and a historical record maintained as well. Those two standards have been added to this matrix for completeness, but they apply to all safeguard areas.

Standard(s) CFR section

Implementation Specification
(r)=required; (a)=addressable

security management process 164.308(a)(1) risk analysis (r)
risk management (r)
sanction policy (r)
information system activity review (r)
assigned security responsibility 164.308(a)(2) (r)
workforce security 164.308(a)(3) authorization and/or supervision (a)
workforce clearance procedure (a)
termination procedures (a)
information access management 164.308(a)(4) isolating health care clearinghouse function (r)
access authorization (a)
access establishment and modification (a)
security awareness and training 164.308(a)(5) security reminders (a)
protection from malicious software (a)
log-in monitoring (a)
password management (a)
security incident procedures 164.308(a)(6) response and reporting (r)
contingency plan 164.308.(a)(7) data backup plan (r)
disaster recovery plan (r)
emergency mode operation plan (r)
testing and revision procedure (a)
applications and data criticality analysis (a)
evaluation 164.308(a)(8) (r)
business associate contracts and other arrangements 164.308(b)(1) written contract or other arrangement (r)
policies and procedures 164.316(a) (r)
documentation 164.316(b)(1) (r)

Source: Appendix A to Subpart C of Part 164

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine