In the final post of this blog series, we will cover the Administrative Safeguards required for covered entities as set for in the HIPAA Security Rule (Section 164.308). The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.
The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.
Administrative Safeguards are broken down into the following standards:
- Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
- Risk Analysis
- Risk Management
- Sanction Policy
- Information System Activity Review
- Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for development and implementation of policies and procedures.
- Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
- Authorization and/or Supervision
- Workforce Clearance Procedure
- Termination Procedures
- Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
- Isolating Healthcare Clearinghouse Functions
- Access Authorization
- Access Establishment and Authorization
- Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
- Security Reminders
- Protection of Malicious Software
- Log-in Monitoring
- Password Management
- Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
- Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
- Testing and Revision Procedures
- Applications and Data Criticality Analysis
- Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
- Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
- Written Contract or Other Arrangement
HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:
- Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
- Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
- Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
- Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
- Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
- Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.
As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead a breach of data.
In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office for Civil Rights) sanctions in the forms of audits and even severe civil penalties.
By Anirudh Nadkarni.