The administrative safeguard is one of the security rules set by the Health Insurance Portability and Accountability Act (HIPAA) that refers to standards that help prevent electronic protected health information (EPHI) from unauthorized access. The administrative safeguard is one of the three safeguards HIPAA requires covered entities to implement—physical and technical safeguards are the other two requisites.

There are nine administrative safeguard standards that HIPAA requires covered entities to implement. Examples of these administrative safeguards include:

  • Establishing a security management process
  • Assigning a security official
  • Conducting security awareness training for employees
  • Drawing up a contract for all third-party entities that have access to EPHI


Read More about “Administrative Safeguard

HIPAA specifically defines the administrative safeguard as “administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect EPHI and manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Details related to the administrative safeguard take up more than half of the HIPAA security requirements, which hints at its importance.

What Is the HIPAA Security Rule?

The HIPAA Security Rule is the U.S. national standard for protecting the EPHI of every person. It dictates how covered entities should go about safeguarding the protected health information of their clients.

Who Are Covered by HIPAA?

Entities that must adhere to HIPAA rules, including the administrative safeguard discussed here, include any organization or individual belonging to:

  • Healthcare providers
  • Healthcare clearinghouses
  • Health insurance companies
  • Health maintenance organizations (HMOs)
  • Hospitals
  • Academic medical centers

What Are the Administrative Safeguard Standards of HIPAA?

HIPAA set nine administrative safeguard standards shown in the image below.

Administrative Safeguard Standards of HIPAA
  • Security Management Process: This standard implements the entity’s security program, covering risk analysis, risk management, sanction policy, and information system (IS) activity review.
  • Assigned Security Responsibility: This standard requires health organizations and other covered entities to identify a security official who will be responsible for developing and implementing security policies and procedures.
  • Workforce Security: The Workforce Security standard requires covered entities to identify employees that need access to EPHI. The goal is to ensure that access is controlled.
  • Information Access Management: This administrative safeguard refers to policies and procedures that give the right users authority to access EPHI. Entities must ensure they follow the HIPAA privacy rules in implementing this standard to limit unauthorized and unnecessary access to protected health information.
  • Security Awareness and Training: All new and existing employees and staff members of a covered entity must undergo security awareness training. Aside from onboarding, entities must also conduct periodic training that covers security updates and upgrades.
  • Security Incident Procedures: Covered entities must define and implement policies and procedures to address security incidents. Attempted unauthorized access to protected health information is already considered a security incident, and health organizations must respond and report them.
  • Contingency Plan: HIPAA requires covered entities to have a concrete plan to follow during emergencies that can destroy EPHI, such as fires, system failures, and natural disasters. The standard includes implementing data backup, disaster recovery, and emergency mode operation plans.
  • Evaluation: Covered entities must regularly evaluate their security plans and procedures to make sure they continue to protect EPHI appropriately.
  • Business Associate Contracts and Other Arrangements: This standard aims to protect EPHI from a third-party-related data breach. Covered entities can allow other organizations to create, maintain, or transmit protected data only if they strictly follow HIPAA rules.

What Are the Three Types of Safeguards Under the HIPAA Security Rule?

HIPAA requires covered entities to adhere to three kinds of safeguards—administrative, physical, and technical. We already discussed administrative safeguards, which refer to policies and procedures organizations must implement to protect client health information stored and transmitted electronically.

Physical safeguards help control physical access to a covered entity’s premises and computer systems. For instance, HIPAA requires medical facilities and other covered entities to have security alarms, computer privacy filters, and cable locks. These safeguards aim to prevent unauthorized access to the covered entity’s systems.

Technical safeguards aim to do the same. They refer to technology applications that can restrict access to EPHI. Examples of technical safeguards include encryption to protect data transmission, access control to limit access to health information, and audit systems to monitor the activities on systems containing EPHI.

All facilities that create, store, access, and transmit patient health information must do their best to protect sensitive data. The administrative safeguard set by HIPAA is only one of the many security measures covered entities can implement.

Key Takeaways

  • Administrative safeguards are security measures required by HIPAA to protect patients’ electronic health information.
  • The administrative safeguard is one of the three safeguards covered entities must implement. The other two are physical and technical safeguards.
  • The administrative safeguard comprises nine security standards.
  • EPHI stands for “electronic protected health information.”
  • The HIPAA Security Rule aims to prevent cyber attacks and data breaches.

Other interesting terms…