Implementing HIPAA’s Security Rule Safeguards — Part 1: Administrative Safeguards


What would you be willing to spend to pay off liability claims for breaching HIPAA laws? $10,000? $50,000? $100,000? Or you could prevent ever having to write that enormous check and save yourself thousands of dollars by using HIPAA compliance software.

In order to fully reduce and minimize liabilities, the smart choice is to use HIPAA compliance software. It is an efficient and affordable way to ensure your organization is HIPAA compliant, and it will keep you and your clients feeling assured and protected.

The U.S. Department of Human and Health Services regulates the maintenance and fulfillment of following these codes, which includes the HIPAA Security Rule. With the ever advancing of technology and methods of spreading information, making sure electronic protected health information remains safe and secure must be a top priority.

As part one in a three-part series, we will outline why it is vital to be compliant with HIPAA’s Security Rule and how to do so.

Administrative Safeguards

First on your list to implement are the Administrative Safeguards. The HIPAA Security Rule’s Administrative Safeguards focus on your organization’s internal security measures, ensuring you create a durable security foundation to best protect your patients’ information.

Below, we’ll outline are the ten areas which the Administrative Safeguards requires.

1. Security Management Process (45 CFR 164.308(a)(1)(i))

Recognize and scrutinize possible risks to ePHI. Every security means available must be implemented to minimize risks and any potential susceptibility to be leaked.

2. Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A))

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

HIPAA One is the simplest, most-automated and affordable comprehensive Security risk analysis on the market that guarantees compliance and reduces risk.   See for more information.

3. Assigned Security Responsibility (45 CFR 164.308(a)(2))

Designate an official who is trustworthy and responsible to oversee the progress and execution of the organization’s policies and practices.

4. Workforce Security (45 CFR 164.308(a)(3)(i))

Only those authorized may be granted access to ePHI. This means the disclosure and use of ePHI comes only on a role-based access. To be compliant with the Privacy Rule, any access or disclosure of ePHI is on a need-to-know basis.

5. Information Access Management (45 CFR 164.308(a)(4)(ii)(A))

Identify and isolate healthcare clearinghouse functions by moving the computing/server environment onto a seperate network with some type of firewall inserted between it and the rest of the production computing network. Ideally put some type of IPS/IDS in place (network security device) to monitor for malware or other types of attacks.

6. Security Incident Procedures (45 CFR 164.308(a)(6))

Implement policies and procedures to address security incidents.

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

A Security Incident Response Plan is designed to report, verify, contain, notify, restore service, document and provide a cost estimate. If you have an SIRP, but no reports of incidents, look at training and awareness to your workforce! There should be some reports in the past 12 months or folks are not aware what the process is.

7. Security Awareness Training (45 CFR 164.308(a)(5)(i))

Train and supervise personnel who have access to ePHI. The rule requires that organizations must train employees about the security policies and procedures and enforce appropriate sanctions against those individuals who do not comply.

Conduct training annually and ensure HIPAA Security Training at a minimum covers encryption, security incident definition, channels to report incidents, email phishing and to report any unencrypted ePHI to the HIPAA Security Officer.

Provide periodic reminders such as emails, newsletters, staff meetings, posters and bulletin board postings are all helpful in keeping people aware.

People are the biggest resource in helping identify security incidents and reporting.

8. Contingency Plan (45 CFR 164.308(a)(7)(i))

Establish a data back and restoration plan for all servers and databases – don’t forget to include periodic testing (at least quarterly) of data restores to verify backup integrity.

Contingency planning may be as simple as developing a “System Downtime Packet” which includes paper-sheets stapled forming a health care packet. Include patient Demographic forms, SOAP note forms, common ICD codes, 1blank prescription sheet, medical/Doctor’s Note and any other forms commonly used through the process. Enter data when the EHR system becomes available again.

Disaster Recovery Planning includes an updated ePHI asset sheet with server criticality and restoration priority (no more than 4 levels please) in the event of restoration.

Periodically test the above scenarios to verify they would meet the emergency needs of your organization.

9. Protection from Malicious Software (45 CFR 164.308(a)(5)(ii)(B))

Ensure there are multiple layers protecting your computers from malware. Ransomware is becoming a huge problem when users click on an email link after they were fooled to open it, they just downloaded the virus that jumps to all the computers encrypting their hard drives requiring a money transfer to release the files.

At a minimum include safeguards such as patch management, anti-virus, a deep-packet inspection firewall that includes a subscription service to block any suspicious activities (SonicWall/Dell and FortiGate have great solutions for small to medium sized organizations) and training to keep users aware of deceptive phishing scams (and never to open email from people you don’ t know).

Through a multi-layers approach you can protect your organization from being another victim of cybercrime.

10. Evaluation

Perform a routine and periodic evaluation of how well the security policies and procedures fall under the umbrella of the Security Rule.

In a world where private information is becoming less and less private, organizations — including yours — must strive to maintain and protect the health information of each individual. By following the required steps of the Administrative Safeguards, you can feel assured that you are following HIPAA standards and are keeping yourself, those you work with and your patients safe.

HIPAA One® provides a comprehensive coverage of all Physical, Administrative, Technical and Organizational (Vendor Management and Business Associates) safeguards and empowers individuals with or without security experience to test their own preparedness and benchmarking their HIPAA Security efforts. Email us at [email protected], or visit today for more information.

Check back on our blog soon for part two of this series where we will explain the HIPAA Security Rule’s Physical Safeguards.









Pass Rate

five star review


Star Reviews

Let HIPAA One do the heavy lifting for your company when it comes to compliance. Make us part of your team to stay up-to-date, stay automatically compliant, and most importantly, protect your client's information.


Join Us in Our Mission to Simplify HIPAA Compliance!

Simple. Automated. Affordable.

Scroll to Top