What are the HIPAA Security Rule Administrative Safeguards at 45 CFR § 164.308?
This particular provision of HIPAA – 45 CFR 164.308 – is used in legal texts, HIPAA policies and procedures, and by DHHS, to signify, “We’re talking about the Security Rule Administrative Safeguards here.”
What are Security Rule administrative safeguards?
HIPAA Security Rule administrative safeguards consist of administrative actions, policies, and procedures.
These actions, policies, and procedures are used to manage the selection, development, and implementation of security measures.
45 CFR 164.308 is sub-divided into 45 CFR 164.308(a) and 45 CFR 164.308(b).
45 CFR 164.308(b) is the less elaborate provision. This provision simply requires that a covered entity may permit a business associate to handle the former’s ePHI, but only if the parties agree, in a written business agreement, that the business associate will appropriately safeguard the information.
45 CFR 164.308(a) requires covered entities and business associates to:
- Implement a security management process. (45 CFR 164.308(a)(1)).
- Designate a security official, who will be responsible for the development and implementation of Security Rule policies and procedures. (45 CFR 164.308(a)(2)).
- (45 CFR 164.308(a)(3)): Implement workforce security measures, by:
- Implementing policies and procedures to:
- Ensure that all members of the workforce have appropriate access to electronic protected health information; and
- Prevent those workforce members who are not given access to ePHI, from obtaining such access.
- Implement policies and procedures for authorizing access to electronic protected health information. (45 CFR 164.308(a)(4)).
- Implement a security awareness and training program for all workforce members, including management. (45 CFR 164.308(a)(5)).
- Implement policies and procedures to address security incidents. (45 CFR 164.308(a)(6)).
- Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. (45 CFR 164.308(a)(7)).
- Perform a periodic technical and nontechnical evaluation that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the Security Rule.
To learn more about the HIPAA security rule and how to satisfy all of HIPAA compliance contact Compliancy Group for all your HIPAA needs. We take all of the requirements of HIPAA compliance and place it in one easy to sue software with Compliance Coaches guiding you through the entire regulation from start to finish.