FAQ
FAQ’s
What are the HIPAA administrative safeguards?

What are the HIPAA administrative safeguards?

HIPAA’s administrative safeguards include a range of actions, policies, and procedures which is over half the HIPAA Security Rule. These are specifically created to oversee the entire process of selecting, developing, implementing, and maintaining security measures aimed at safeguarding ePHI.

Hence, to comply with HIPAA’s administrative safeguards, you as a healthcare organization need to follow a series of steps:

Implement a security management process

Enact policies and procedures to prevent, detect, contain, and correct security violations.

Required implementation specifications:

  • Risk analysis
  • Risk management
  • Sanction policy
  • Information system activity review

Designate a security official

Identify the security official responsible for developing and executing required policies and procedures.

Establish workforce security measures

Ensure staff have appropriate access to ePHI and prevent unauthorized access. For example, healthcare providers like doctors and nurses should have appropriate access, while administrative staff should not.

Implementation specifications:

  • Authorization and/or supervision
  • Workforce clearance procedure
  • Termination procedures

Authorize ePHI access

In this section healthcare providers must authenticate their identity through a secure login process before accessing a patient’s records.

Implementation specifications:

  • Isolating health care clearinghouse functions
  • Access authorization
  • Access establishment and modification 

Implement security awareness and training

Conduct a security awareness and training program for all staff and management.

Implementation specifications:

  • Security reminders
  • Protection from malicious software
  • Log-in monitoring
  • Password management

Prepare for emergency response

Implement policies and procedures to address security incidents.

Required implementation specifications:

  • Response and reporting
  • Emergency mode operation plan 
  • Data backup plan 
  • Disaster recovery plan 
  • Testing and revision procedures 
  • Applications and data criticality analysis

For example, if an employee detects unusual activity on the EHR system, they should immediately report it to the hospital’s IT security team for investigation and appropriate action.

Conduct periodic evaluations

Conduct recurring technical and nontechnical evaluations based on initial standards implemented and respond to ePHI security changes.

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales