HIPAA Security Rule administrative safeguards are contained in what is known of the Code of Federal Regulations, or CFR. The Code of Federal Regulations is a series of books that comprise all federal regulations issued by all federal agencies and executive departments. The CFR is structured into 50 subject matter titles. Title 45 (the Title for the Department of Health and Human Services, which administers HIPAA) is entitled “Public Welfare.” Part 164 of Title 45 is “Privacy and Security.” 

Section 308 of Part 164 is the Administrative Safeguard provision of the HIPAA Security Rule. Its full citation is 45 CFR 164.308. Citations are written out with a “§” symbol, which separates the title from the other pieces of information (the part and the section). 

What are the HIPAA Security Rule Administrative Safeguards at 45 CFR § 164.308?

This particular provision of HIPAA – 45 CFR 164.308 – is used in legal texts, HIPAA policies and procedures, and by DHHS, to signify, “We’re talking about the Security Rule Administrative Safeguards here.” 

What are Security Rule administrative safeguards?

HIPAA Security Rule administrative safeguards consist of administrative actions, policies, and procedures.

These actions, policies, and procedures are used to manage the selection, development, and implementation of security measures.

45 CFR 164.308 is sub-divided into 45 CFR 164.308(a) and 45 CFR 164.308(b).

45 CFR 164.308(b) is the less elaborate provision. This provision simply requires that a covered entity may permit a business associate to handle the former’s ePHI, but only if the parties agree, in a written business agreement, that the business associate will appropriately safeguard the information.

45 CFR 164.308(a) requires covered entities and business associates to:

1. Implement a security management process. (45 CFR 164.308(a)(1)). 
2. Designate a security official, who will be  responsible for the development and implementation of Security Rule policies and procedures. (45 CFR  164.308(a)(2)).
3. (45 CFR 164.308(a)(3)):  Implement workforce security measures, by:
   1. Implementing policies and procedures to:
      1. Ensure that all members of the workforce have appropriate access to electronic protected health information; and
      2. Prevent those workforce members who are not given access to ePHI, from obtaining such access.
4. Implement policies and procedures for authorizing access to electronic protected health information. (45 CFR 164.308(a)(4)).
5. Implement a security awareness and training program for all workforce members, including management. (45 CFR 164.308(a)(5)).
6. Implement policies and procedures to address security incidents. (45 CFR 164.308(a)(6)).
7. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. (45 CFR 164.308(a)(7)).
8. Perform a periodic technical and nontechnical evaluation  that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the Security Rule.