This article addresses the administrative safeguard requirements, and offers a quiz. The user is invited to answer some multiple choice questions. Each question asks, “Which of the Following is an Administrative Safeguard for PHI?”
Which of the Following is an Administrative Safeguard for PHI? An Overview
HIPAA security standards consist of four general rules for covered entities and business associates to follow:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
- Ensure the covered entity or business associate’s workforce complies with the HIPAA Security Rule.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
To ensure compliance with these rules, HIPAA requires that covered entities implement administrative safeguards, technical safeguards, and physical safeguards.
HIPAA Security Rule technical safeguards are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
HIPAA Security Rule physical safeguards consist of “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
What are Security Rule Administrative Safeguards?
HIPAA Security Rule administrative safeguards consist of administrative actions, policies, and procedures.
These actions, policies, and procedures are used to manage the selection, development, and implementation of security measures.
45 CFR § 164.308 is the administrative safeguard provision of the HIPAA Security Rule. This provision is sub-divided into 45 CFR § 164.308(a) and 45 CFR § 164.308(b).
45 CFR § 164.308(b) is the less elaborate provision. This provision simply requires that a covered entity may permit a business associate to handle the former’s ePHI, but only if the parties agree, in a written business agreement, that the business associate will appropriately safeguard the information.
45 CFR § 164.308(a) contains the administrative safeguard “commandments.” It requires covered entities and business associates to:
- Implement a security management process that includes a security risk analysis, a sanctions policy and a risk management policy. (45 CFR § 164.308(a)(1)).
- Designate a security official, who will be responsible for the development and implementation of Security Rule policies and procedures. (45 CFR § 164.308(a)(2)).
- (45 CFR § 164.308(a)(3)): Implement workforce security measures, by:
- Implementing policies and procedures to:
- Ensure that all members of the workforce have appropriate access to electronic protected health information; and
- Prevent those workforce members who are not given access to ePHI, from obtaining such access.
- Implement policies and procedures for authorizing access to electronic protected health information. (45 CFR § 164.308(a)(4)).
- Implement a security awareness and training program for all workforce members, including management. (45 CFR § 164.308(a)(5)).
- Implement policies and procedures to address security incidents. (45 CFR § 164.308(a)(6)).
- Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI. (45 CFR § 164.308(a)(7)).
- Perform a periodic technical and nontechnical evaluation that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the Security Rule.
Quiz Question 1: Which of the Following is an Administrative Safeguard for PHI?
a. A procedures for revoking access to ePHI when an employee leaves the organization.
b. Installing security patches.
c. De-identifying PHI.
d. Developing policies and procedures that specify where to place and position workstations to only allow ePHI viewing by authorized individuals.
The correct answer is (A). B and C both relate to Technical Safeguards, while D is a Physical Safeguard measure.
Quiz Question 2: Which of the Following is an Administrative Safeguard for PHI?
a. Installing a firewall between a covered entity’s computer network and the Internet.
b. Developing policies and procedures for physical facilities that identify individuals (workforce members, business associates, contractors, etc.) with authorized access to electronic information systems.
c. Instituting policies and procedures to protect ePHI from improper alteration or destruction
d. Performing a security risk analysis
The correct answer is (D), A and C relate to the Technical Safeguard requirement, while B relates to Physical Safeguards.