A look at HIPAA administrative safeguard requirements
Administrative safeguards may not be as topical as technical or even physical safeguards when it comes to HIPAA compliance, but the HIPAA Series reminds users that these safeguards encompass more than half of HIPAA Security requirements. Like the technical and physical safeguards, many of these items are meant for consideration only and are not technically required for implementation. But having administrative safeguards in place in combination with other safeguards will make it easier for security officers to both prevent and react to a health data breach.
The Security Rule says that administrative safeguards are, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” This basically calls for those responsible for security in healthcare organizations to evaluate preexisting security controls, accurately and thoroughly analyze risk and document worthwhile solutions.
§ 164.308(a)(1) Security Management Process
Implement policies and procedures to prevent, detect, contain and correct security violations.
Here are the four implementation specifications in the Security Management Process standard.
1. Risk Analysis (Required)
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.”
2. Risk Management (Required)
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”
3. Sanction Policy (Required)
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”
4. Information System Activity Review (Required)
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
§ 164.308(a)(2) Assigned Security Responsibility
“Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”
§ 164.308(a)(3) Workforce Security
“Implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to ePHI.”
1. Authorization and/or Supervision (Addressable)
“Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.”
2. Workforce Clearance Procedure (Addressable)
“Implement procedures to determine that the access of a workforce member to ePHI is appropriate.”
3. Termination Procedures (Addressable)
“Implement procedures for terminating access to ePHI when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”
§ 164.308(a)(4) Information Access Management
“Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”
1. Isolating Health Care Clearinghouse Functions (Required)
“If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the ePHI of the clearinghouse from unauthorized access by the larger organization.”
2. Access Authorization (Addressable)
“Implement policies and procedures for granting access to ePHI, for example, through access to a workstation, transaction, program, process, or other mechanism.”
3. Access Establishment and Modification (Addressable)
“Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.”
§ 164.308(a)(5) Security Awareness and Training
“Implement a security awareness and training program for all members of its workforce (including management).”
1. Security Reminders (Addressable)
“Periodic security updates.”
2. Protection from Malicious Software (Addressable)
“Procedures for guarding against, detecting, and reporting malicious software.”
3. Log-in Monitoring (Addressable)
“Procedures for monitoring log-in attempts and reporting discrepancies.”
4. Password Management (Addressable)
“Procedures for creating, changing, and safeguarding passwords.”
§ 164.308(a)(6) Security Incident Procedures
“Implement policies and procedures to address security incidents.”
Unlike most of the other considerations, there is actually one required implementation specification for this standard:
§ 164.308(a)(6)(ii) The Response and Reporting implementation specification states that covered entities must:
“Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.”
The HIPAA Series listed these items as examples:
- Stolen or otherwise inappropriately obtained passwords that are used to access ePHI
- Corrupted backup tapes that do not allow restoration of ePHI
- Virus attacks that interfere with the operations of information systems with ePHI
- Physical break-ins leading to the theft of media with ePHI
- Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with EPHI
- Providing media with EPHI, such as a PC hard drive or laptop, to another user who is not authorized to access the EPHI prior to removing the EPHI stored on the media.
§ 164.308(a)(7) Contingency Plan
“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI.”
The Contingency Plan standard includes five implementation specifications.
1. Data Backup Plan (Required)
“Establish and implement procedures to create and maintain retrievable exact copies of ePHI.”
2. Disaster Recovery Plan (Required)
“Establish (and implement as needed) procedures to restore any loss of data.”
3. Emergency Mode Operation Plan (Required)
“Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.”
4. Testing and Revision Procedures (Addressable)
“Implement procedures for periodic testing and revision of contingency plans.”
5. Applications and Data Criticality Analysis (Addressable)
“Assess the relative criticality of specific applications and data in support of other contingency plan components.”
§ 164.308(a)(8) Evaluation
“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of ePHI that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].”
§ 164.308(b)(1) Business Associate Contracts And Other Arrangements
“A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information (Emphasis added).”
There is one implementation specification for this standard - § 164.308(b)(4) Written contracts. Covered entities are required to: “Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [the Organizational Requirements].”