The administrative safeguards make up 50% of the Security Rule's standards and relate to the administrative actions the covered entity must implement to meet the requirements of the security rule. These safeguards relate primarily to the workforce and the way the covered entity trains and expects its representatives to carry out the security requirements. The administrative safeguards require documented policies and procedures for day-to-day operations; managing the conduct of employees with Patient Health Information (PHI); and managing the selection, development, and use of security controls.
The specific standards of the administrative safeguards are:
- Security management processย (CFR ยง164.308(a)(1)): Implementing policies and procedures to prevent, detect, contain, and correct security violations.
- Assigned security responsibilityย (CFR ยง164.308(a)(2)): A single individual must be designated as having overall responsibility for the security of a Covered Entity's (CE) Electronic Patient Health Information (EPHI).
- Workforce securityย (CFR ยง164.308(a)(3)): Implementing policies and procedures to ensure that employees have only appropriate access to EPHI.
- Information access managementย (CFR ยง164.308(a)(4)): Implementing policies and procedures for authorizing access to EPHI.
- Security awareness and trainingย (CFR ยง164.308(a)(5)): Implementing a security awareness and training program for a CE's entire workforce.
- Security incident proceduresย (CFR ยง164.308(a)(6)): Implementing policies and procedures to handle security incidents.
- Contingency planย (CFR ยง164.308(a)(7)): Implementing policies and procedures for responding to an emergency or other occurrences that damages systems containing EPHI.
- Evaluationย (CFR ยง164.308(a)(8)): Performing periodic technical and non-technical evaluations that determine the extent to which a CE's security policies and procedures meet the ongoing requirements of the Security Rule.
- Business associate contracts and other arrangementsย (CFR ยง164.308(b)(1)): A CE may permit a business associate to create, receive, maintain, or transmit EPHI on the CE's behalf only if the CE has satisfactory assurance that the business associate will appropriately safeguard the data.