What are HIPAA Administrative Safeguards?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA, PL104-191) was enacted to protect the privacy and availability of health insurance coverage and medical information. The law’s primary goals include protecting health insurance coverage for workers and their families in the event that the insured employee changes or loses a job, safeguarding the security and confidentiality of patient health information, and establishing standards for the electronic exchange of health care information. HIPAA required the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To that end, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule establishes national standards for the protection of certain health information, and the Security Rule establishes national security standards for the protection of certain health information that is held or transferred in electronic form.
The Security Rule requires that covered entities maintain reasonable and appropriate safeguards for protecting electronic patient health information (e-PHI) in three distinct areas: administrative, technical, and physical. The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” Administrative Safeguards comprise over half of HIPAA requirements. The following are the five standards for administrative safeguards:
Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
Security Personnel. A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.
Information Access Management. Consistent with the Privacy Rule standard limiting uses and disclosures of PHI to the “minimum necessary,” the Security Rule requires a covered entity to implement policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient’s role (role-based access).
Workforce Training and Management. A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI.17 A covered entity must train all workforce members regarding its security policies and procedures,18 and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Evaluation. A covered entity must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
1 HHS.gov, 2023, “Summary of the HIPAA Security Rule”