Keywords:  Administrative Safeguards, HIPAA
Administrative Safeguards
When implementing HIPAA security the individual security requirements are divided into three categories:  the administrative, physical and technical safeguards.  The administrative safeguards are the first part of the HIPAA security regulations, and probably the most important, as they provide the organizational and procedural as well as management structure for the implementation.The following components are part of the Administrative safeguard section as well as the identification of whether it is R-Required or A-Addressable.
  • Security Management Process:  This covers the policies and procedures that facilitate the security of the Protected Healthcare Information (PHI).
    • Risk Analysis (R)
    • Risk Management (R)
    • Sanction Policy (R)
    • Information System Activity Review (R)
  • Assigned  Security Responsibility (R): An official has to be identified who is responsible for policies and procedures, i.e., a Chief Security or Privacy Official needs to be appointed.  This function can be shared by an official who is responsible for other compliances as well, or, in case of a major institution, this can be a dedicated official.
  • Workforce Security:  This addresses the "minimum necessary rule" in the regulation, i.e., to make sure that everyone has exactly the amount of access needed to do his or her job, no more and no less.
    • Authorization or supervision (A) 
    • Workforce Clearance Procedure (A)
    • Termination Procedures (A)
  • Information Access Management:  Policies and procedures should be implemented to authorize PHI access.
    • Clearinghouse functions should be isolated (R)
    • Access Establishment and Modification (A)
    • Access Authorization (A)
  • Security Awareness and Training:  A training program for all employees should be in place.  Depending on their role, a different program is required.  For example, people that clean the offices, and therefore have access to certain areas, require a different type of training than nurses or physicians.
    • Security Reminders (R)
    • Protection from malicious software (R)
    • Log-in Monitoring (R)
    • Password Management (R)
  • Security Incident Procedures (R):  Identify and check known incidents and implement pragmatic follow-up and measures.  Procedures for reporting these incidents should be made available and known.
  • Contingency Plans:  Disaster recovery in cases of emergency such as fire, floods, severe weather conditions, power failures, etc. must be planned.
    • Data back-up plan (R)
    • Disaster Recovery Plan (R)
    • Emergency Mode Operation Plan (R)
    • Testing and Revision Procedure (A)
    • Application and Data Criticality Analysis (R)
    • Evaluation (R)
    • Business Associate (BA) Agreements and other arrangements (R)
Premium Content(requires free registration) 
Articles/Documents
  • Practical Security and Privacy Tips
    		•
    Search Database
     


    © 2024 OTpedia. All rights reserved.