Administrative Safeguards
The administrative safeguards provisions in the Security Rule require entities to adopt policies and procedures that appropriately manage the selection, development, implementation, and maintenance of security measures to protect e-PHI.84 The most critical step in addressing this requirement is for entities to conduct risk analysis and risk management. Proper risk analysis and risk management detects and analyzes potential risks and vulnerabilities to the confidentiality or integrity of e-PHI, and reduces those risks to a reasonable and appropriate level.85
A CE also must apply appropriate sanctions against workforce members who fail to comply with its security polices and procedures.86 To properly deter violations, a CE’s workforce must understand the consequences for failing to comply. A CE must also implement procedures to regularly review information system activity records, such as audit logs, access reports, and security incident tracking reports.87 This permits entities to determine whether any e-PHI is being inappropriately used or disclosed.
The Security Rule requires a CE to identify a security official who will be responsible for developing and implementing its security policies.88 The CE must implement policies and procedures that authorize access to e-PHI only when such access is necessary based on the user or recipient’s role.89 Compliance with this standard should support an entity’s compliance with the Privacy Rule’s minimum necessary requirements.
A CE is required to ensure that all workforce members have appropriate access to e-PHI.90 The CE must also prevent unauthorized users from obtaining access to such information by implementing security awareness and training programs for all workforce members.
A CE must implement ongoing monitoring and evaluation plans, which requires periodic assessment of how well security polices and procedures meet the Security Rule requirements.91
Footnotes
- 84. 45 C.F.R. § 164.308(a)(1).
- 85. Id. at § 164.308(a)(1)(ii); see also CMS, Dep’t of Health and Human Services, Basics of Risk Analysis and Risk Management (2007), available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/riskass... (last visited April 27, 2012 ).
- 86. 45 C.F.R. § 164.308(a)(1).
- 87. Id. at § 164.308(a)(1).
- 88. Id. at § 164.308(a)(2).
- 89. Id. at § 164.308(a)(4).
- 90. Id. at § 164.308(a)(3),(5).
- 91. Id. at § 164.308(a)(8).
.png)