§ 164.308 Administrative safeguards
(a) A covered entity must:
(1) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
HIPAA Survival Guide Note
This standard has four "required" implementation specifications: 1) Risk analysis, 2) Risk management, 3) Sanction policy, and 4) Information system activity review. The first two are quite broad in scope.
(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
(3) Standard: Workforce security. Implement policies and procedures to ensure that only appropriate members of the workforce have access to ePHI.
HIPAA Survival Guide Note
This standard has a number of "addressable" specifications regarding supervision, clearance and termination of workforce members.
(4) Standard: Information access management. Implement policies and procedures for authorized access to ePHI that are consistent with the applicable requirements of the PR.
HIPAA Survival Guide Note
For providers, this standard contains several addressable specifications pertaining to access and modification of ePHI.
(5) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
HIPAA Survival Guide Note
This standard contains addressable specifications regarding security reminders, viruses, passwords and login monitoring.
(6) Standard: Security incident procedures.
HIPAA Survival Guide Note
This standard contains one required specification regarding identifying and responding to suspected or known security incidents.
(7) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that could damage systems that contain ePHI.
HIPAA Survival Guide Note
This standard contains both required and addressable specifications. The required specifications relate to data backups, disaster recovery and emergency operations. In principle, this standard is largely met by having a plan in place that allows a provider to access and restore offsite system and data backups in a reasonable manner.
(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation to ensure that standards continue to be met in response to operational and environmental changes.
(b) Standard: Business associate contracts and other arrangements.
HIPAA Survival Guide Note
The definition of this standard is quite lengthy and mostly parallels what is required under the PR regarding business associates. The required specification indicates that a contract is required, analogous to the PR.
Commentary on Administrative Safeguards
In general, these safeguards mandate that policies and procedures be developed and implemented that are focused on the reasonable and appropriate access to, and protection of, ePHI. For larger providers the CIO and information systems department will, of necessity, be involved in this effort.
As previously mentioned, small providers face quite different challenges because of resource constraints, and therefore must carefully consider their options regarding SR compliance. Depending on the nature of their electronic systems, and in particular whether they are hosted locally or on the Internet, a provider may have a distinct set of choices regarding how to "reasonably and appropriately" achieve their objectives.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.