SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What are the Administrative Requirements of the HIPAA Security Rule? Blog Feature
Kellie Worley

By: Kellie Worley

Print/Save as PDF

What are the Administrative Requirements of the HIPAA Security Rule?

HIPAA

Published: Jan 23, 2025

As the overarching regulation for healthcare data in the United States, the Health Insurance Portability and Accountability Act has helped secure what is considered personally identifiable information (PII) and its transfer/disclosure within the sector. Under HIPAA, providers and their business associates (BAs) must meet the law’s requirements, including the administrative safeguards within its Security Rule. 

For the record, HIPAA’s Security Rule does contain more than just those safeguards—in fact, it contains three other sections of requirements as well—Physical, Technical, and Organizational. To achieve HIPAA compliance, you must meet all of these requirements, but that can only happen with a thorough understanding.

That’s a lot of information, which is why—as experienced HIPAA assessors—we’re going to break things down. In this blog post, we’re going to focus on detailing the implementation specifications of HIPAA’s Administrative Safeguards with the Security Rule so that you know precisely what to do to meet these requirements.

(In the future, you can expect similar analyses of not just the other 3 sections of this Rule, but also HIPAA’s Breach Notification and Privacy Rules as well so that you can attain comprehensive knowledge that is critical to your compliance.)

The 9 Administrative Safeguard Standards of the HIPAA Security Rule

Altogether, the HIPAA Security Rule mandates that covered entities and business associates maintain the confidentiality, integrity, and availability of electronic protected health Information (ePHI). Among the requirements are the nine Administrative Safeguards—policies and procedures you must implement to achieve compliance. 

Before we get into the details of each safeguard, we should be clear about an important included component—implementation specifications. HIPAA provides them for nearly all the nine Administrative Safeguards, and there’s an important distinction you should note:

Required Addressable
If a specification is required, you must implement it exactly as dictated by HIPAA.  If a specification is addressable, you have more flexibility to achieve compliance, as you can either: 
  • Implement it exactly appears; OR
  • Implement something else that still achieves the required compliance standard. 

1. Security Management Process 

What This Safeguard Requires:

  • Analysis of security risks
  • Implementation of policies and procedures that prevent, detect, and correct security violations
  • Define appropriate sanctions for security violations

Security management is the foundation of the HIPAA Security Rule, and performing a thorough risk analysis and developing a corresponding risk management plan are integral initial steps. But HIPAA is specific about how you should go about these items, as there are four required* implementation specifications: 

  • Risk Analysis: Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of your held ePHI. 
  • Risk Management: Make and document decisions regarding how you address security risks and vulnerabilities.  
  • Sanction Policy: Put appropriate penalties in place so that your workforce understands the consequences of failing to comply with security policies and procedures (and will therefore be encouraged to comply with said policies). 
  • Information System Activity Review: Regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports.  

2. Assigned Security Responsibility

What This Safeguard Requires:

  • Identification of the security official who is responsible for the development and implementation of the required security policies and procedures

While this safeguard doesn’t specify how they want you to go about identifying this person—no required or addressable specifications—you must of course still document the individual you select to be fully compliant 

3. Workforce Security 

What This Safeguard Requires:

  • Identification of the security official who is responsible for the development and implementation of the required security policies and procedures

Controlling access to your sensitive data is key for security, and HIPAA lays out three addressable implementation specifications under this safeguard:  

  • Authorization and/or Supervision: Establish whether a particular user has the right to carry out certain activities in information systems containing ePHI. 
  • Workforce Clearance Procedure: Create a process to provide workforce members* appropriate access for their job function.  
    * Remember that your workforce extends to contract workers too, so your process to validate, add, and remove user access applies to them as well. 

  • Termination Procedures: Enact and enforce a process for the removal of access privileges when a user no longer needs these privileges.  

4. Information Access Management 

What This Safeguard Requires:

  • Implementation of policies and procedures for authorizing access to e-PHI only when such access is appropriate based on the user or recipient's role (role-based access) 
  • Restriction of authorization access to only individuals and entities with a need for access

There are three implementation specifications under this safeguard—one required (R) and two addressable (A): 

  • Isolating Health Care Clearinghouse Functions (R): If you are a healthcare clearinghouse that is part of a larger organization, you must implement ePHI protection procedures and policies. 
  • Access Authorization (A): Implement policies and procedures that document clearly who can authorize access to PHI for your organization’s workforce (i.e., employees, vendors, contractors). 
  • Access Establishment and Modification (A): Implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes.  

 

5. Security Awareness and Training  

What This Safeguard Requires:

  • Performance of a security awareness and training program with required attendance from all staff and management.

While you should train staff on your overall HIPAA policies and practices to best protect the security of ePHI, HIPAA includes four particular addressable implementation specifications under this safeguard: 

  • Security Reminders: Provide focused reminders of security policies and procedures to your personnel 
  • Protection from Malicious Software: Implement procedures for guarding against, detecting, and reporting malicious software 
  • Log-in Monitoring: Make workforce members aware of log-in attempts that are not appropriate. 
  • Password Management: Establish procedures for creating, changing, and safeguarding passwords 

 

6. Security Incident Procedures  

What This Safeguard Requires:

  • Creation of policies and procedures to address security incidents.

While this may seem fairly straightforward, keep in mind this safeguard does have one required and multi-pronged implementation specification: 

  • Response and Reporting:
    • Identify and respond to suspected or known security incidents;  
    • Mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and  
    • Document security incidents and their outcomes. 

(Refer to the Omnibus Rule to meet compliance with this standard.) 

7. Contingency Plan 

What This Safeguard Requires:

  • Creation and implementation of a contingency plan, or policies and procedures for responding to an emergency or event that damages ePHI.

Your contingency plan will come into play when you’re faced with natural disasters, fires, or system failures that damage systems with ePHI and make the information unavailable, and to help you shape yours, HIPAA provides five implementation specifications within this safeguard—three are required (R) and two are addressable (A): 

  • Data Backup Plan (R): Establish procedures for the creation, maintenance, and retrieval of exact copies of ePHI
  • Disaster Recovery Plan (R): Implement procedures for the restoration of any data lost 
  • Emergency Mode Operation Plan (R): Create procedures that both enable the continuation of critical business processes and protect ePHI while operating in emergency mode 
  • Testing and Revision Procedure (A): Enact procedures for the periodic testing and revision of your contingency plans.  
  • Applications and Data Criticality Analysis (A): Identify applications that store, maintain, or transmit ePHI and determine how important each is to business operations, to prioritize for data backup and recovery 

8. Evaluation 

What This Safeguard Requires:

  • Regular performance of a technical and a nontechnical review that includes:
    • Periodic monitoring of adherence to security policies and procedures
    • Documentation of the results of those monitoring activities
    • Implementation of appropriate improvements in policies and procedures

While this safeguard contains no implementation specifications and simply requires you to implement ongoing monitoring and evaluation plans, take care to periodically review those plans so that you can adjust to any environmental or operational changes that affect ePHI security. 

(You may have heard that the Office of Civil Rights (OCR) issued the HIPAA Audit Program Protocol that can assist you in conducting a compliant evaluation, but that protocol doesn’t address everything—you must ensure that your evaluation includes all HIPAA, HITECH, and Breach Notification requirements.) 

9. Business Associate Contracts and Other Arrangements  

What This Safeguard Requires:

  • Obtain assurances that your business associates will appropriately safeguard any ePHI that the BA is allowed to create, receive, maintain, or submit ePHI on your behalf 

This standard has one required implementation specification: 

  • Written Contract or Other Arrangement: Maintain a written contract or arrangement with all BAs that meets the applicable requirements of HIPAA. 

To get started here and remain HIPAA compliant, identify all data that is shared with your BAs and reconcile your findings with all your business associate agreements (BAAs)—which should be in place for all—and maintain an inventory of these agreements (which should make it easier to review them regularly).  

Other Considerations for HIPAA Compliance 

As, these nine Administrative Safeguardsto protect ePHI comprise over half of the HIPAA Security Rule’s total requirements, and so you should plan for a heavier lift when embarking on compliance. But that endeavor should be a little easier now that you understand more about each standard, what’s required, and where you have more flexibility in meeting these HIPAA  requirements. 

To feel even better about your compliance, you may want to invest in an external assessment and Schellman may be the right fit for your organization. You can contact us to have a more detailed conversation with our team about your needs, but in the meantime, read our other content that can help you achieve and maintain compliance: 

 

About Kellie Worley

Kellie Worley is a Senior Associate with Schellman. Prior to joining the firm, she was a HIPAA Compliance Consultant at Clearwater and served as AVP of Compliance and Privacy Officer for a hospital company with facilities across the U.S.. Having previously operated as Privacy Officer in other healthcare organizations, she has 20+ years experience in healthcare compliance .

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.