This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Administrative Safeguards Policy

Reference: 45 CFR 164.308
Last Updated: July 5, 2023


The administrative safeguards make up 50% of the Security Rule's standards and relate to the administrative actions the covered entity must implement to meet the requirements of the security rule. These safeguards relate primarily to the workforce and the way the covered entity trains and expects its representatives to carry out the security requirements. The administrative safeguards require documented policies and procedures for day-to-day operations; managing the conduct of employees with Patient Health Information (PHI); and managing the selection, development, and use of security controls.


The specific standards of the administrative safeguards are:

  • Security management process (CFR §164.308(a)(1)): Implementing policies and procedures to prevent, detect, contain, and correct security violations.
  • Assigned security responsibility (CFR §164.308(a)(2)): A single individual must be designated as having overall responsibility for the security of a Covered Entity's (CE) Electronic Patient Health Information (EPHI).
  • Workforce security (CFR §164.308(a)(3)): Implementing policies and procedures to ensure that employees have only appropriate access to EPHI.
  • Information access management (CFR §164.308(a)(4)): Implementing policies and procedures for authorizing access to EPHI.
  • Security awareness and training (CFR §164.308(a)(5)): Implementing a security awareness and training program for a CE's entire workforce.
  • Security incident procedures (CFR §164.308(a)(6)): Implementing policies and procedures to handle security incidents.
  • Contingency plan (CFR §164.308(a)(7)): Implementing policies and procedures for responding to an emergency or other occurrences that damages systems containing EPHI.
  • Evaluation (CFR §164.308(a)(8)): Performing periodic technical and non-technical evaluations that determine the extent to which a CE's security policies and procedures meet the ongoing requirements of the Security Rule.
  • Business associate contracts and other arrangements (CFR §164.308(b)(1)): A CE may permit a business associate to create, receive, maintain, or transmit EPHI on the CE's behalf only if the CE has satisfactory assurance that the business associate will appropriately safeguard the data.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram