- HIPAA administrative safeguards are a critical piece to the larger health data security puzzle that all covered entities must put together. The three types of safeguards are not only a federal requirement, but they all play an important role in ensuring that sensitive health data remains secure and out of the reach of unauthorized individuals.
This week, HealthITSecurity.com will discuss what HIPAA administrative safeguards are, and what some common options are that healthcare facilities can implement. Not every type of administrative safeguard will necessarily be applicable to every covered entity. As is the case with HIPAA physical safeguards and technical safeguards, healthcare organizations will need to review their own policies, daily work flow, and security needs to ensure that the right measures are put in place.
What are HIPAA administrative safeguards?
The HIPAA Security Rule describes administrative safeguards as policies and procedures designed “ to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
Essentially, covered entities must implement policies and procedures that help guide employees in the proper care and use of ePHI. This can include security training requirements and how certain security responsibilities should be delegated in a facility.
HIPAA administrative safeguards are broken down into several main aspects:
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plan
- Business associate contracts and other arrangements
Covered entities must properly implement and monitor their “performance of security management process, assignment or delegation of security responsibility, training requirements, and evaluation and documentation of all decisions.”
Breaking down the aspects of administrative safeguards
As mentioned above, the HIPAA administrative safeguards are divided into several main areas, all of which covered entities need to go over and find out how - if at all - they can implement into their regular procedures. Each section comes with its own subset of implementation specifications, and they vary between being required and being addressable. We will review the specifications and provide example where applicable to what a covered entity could do to meet that area of the HIPAA administrative safeguard.
Security management process: This standard establishes the basic policies and procedures that a covered entity must put in place to properly guide its employees in HIPAA administrative safeguard compliance. This is also where healthcare organizations need to consider their risk management and risk analysis procedure. Essentially, reviewing their security measures to ensure they have a strong strategy to protect the confidentiality, integrity, and availability of ePHI. To see more about risk management and risk analysis, click here.
Assigned security responsibility: This standard requires that covered entities “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.” For example, healthcare organizations should decide if it would be beneficial for one person to be designated as the Privacy Officer and Security Officer, or if that should be two separate assignments. Moreover, the those employees’ roles should properly reflect the size, complexity, and technical capabilities of the organization.
Workforce security: This requires covered entities to implement policies and procedures that ensure that employees have appropriate access to ePHI so they can properly perform their job functions. For example, an organization should determine who has the authority to determine which employees have access to ePHI. Procedures should be consistent when determining who has access. This is also where termination procedures must be considered. For example, after an employee who had access to ePHI is terminated, the covered entity should ensure that he or she can no longer access that information. This could be done by deactivating an employee password or access code.
Information access management: This standard requires covered entities to restrict access to only individuals and entities with a need for access is a basic tenet of security. “Compliance with this standard should support a covered entity’s compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information,” according to the HIPAA Security Series.
Security awareness and training: This standard is where covered entities must consider their workforce security training. For example, are proper password policies in place to ensure that individuals do not share passwords? Or, are log-in attempts necessary to determine that employees are not accessing ePHI inappropriately? This is also where employees could be reminded to protect against malicious software.
Security incident procedures: This standard requires covered entities to implement necessary policies and procedures to address security incidents. For example, healthcare organizations could ask themselves what type of incidents could happen at their facility. Do the security incident policies and procedures identify to whom security incidents must be reported? Essentially, employees at all levels need to understand how they must react in numerous situations to ensure ePHI security.
Contingency plan: This standard is where covered entities must consider what to do in a natural disaster, or if they lose power. They can establish strategies for recovering access to ePHI “should the organization experience an emergency or other occurrence.” For example, organizations should know what type of back-up material is needed, i.e. recovery discs or back-up storage. How will ePHI be protected in various situations, such as if the power is out for an extended period of time?
Evaluation: This standard requires covered entities to implement ongoing monitoring and evaluation plans. These should be periodically reviewed so organizations can adjust to any environmental or operational changes that affect ePHI security.
Business associate contracts and other arrangements: The final standard is similar to the business associate agreement aspect of the HIPAA Privacy Rule, but is specific to business associates that create, receive, maintain or transmit ePHI. There must be a written contract or arrangement that meets the applicable requirements of HIPAA.