The HIPAA Security Rule defines Administrative Safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic Protected Health Information (ePHI) and to manage the conduct of the Covered Entity’s workforce in relation to the protection of that information.”

The Administrative Safeguards comprise half of the HIPAA Security Rule requirements.

Some examples of Administrative Safeguards:

  • Policies and Procedures: Acceptable Use of Assets, Confidentiality Agreements, and hiring and termination policies need to be in place, reviewed annually, and revised if necessary. Policies need to be communicated to staff.
  • Staff Training: Upon hire HIPAA training is conducted. Ongoing HIPAA training needs to be continuous. At minimum, annual HIPAA training must be completed.
  • Auditing and Monitoring: Monitoring of all user activity in operating systems and applications that contain ePHI has to be checked regularly. All business conducted on the company computers should be for business purposes only.
  • Business Associate Agreements: Any third parties that have access to the organization’s Protected Health Information (PHI) have to sign a Business Associate Agreement to guarantee the security of the PHI they access.

HIPAA Administrative Safeguards

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!