45 CFR § 164.308 is the section of the Code of Federal Regulations that contains the Administrative Safeguards of the HIPAA Security Rule. This section covers areas such as security management processes, security awareness training, and contingency planning in the context of preventing the loss, theft, or unauthorized disclosure of electronic Protected Health Information (ePHI).
The Administrative Safeguards of the Security Standards for the Protection of Electronic Protected Health Information (the “HIPAA Security Rule”) were added to the Code of Federal Regulations in 2003 with an effective date of 21st April 2005. They consist of eight standards relating to the policies and procedures required to support the Technical and Physical Safeguards of the Security Rule.
The Administrative Safeguards in 45 CFR § 164.308 apply to Covered Entities and Business Associates that create, receive, maintain, or transmit ePHI on behalf of a Covered Entity, and the eight standards are designed to:
- Ensure the confidentiality, integrity, and availability of ePHI
- Protect ePHI against reasonably anticipated threats
- Protect ePHI against unauthorized uses and disclosures
- Ensure employee compliance with the Security Rule
Like other areas of the HIPAA Security Rule, the Administrative Safeguards include implementation specifications that are either “required” or “addressable”. While Covered Entities and Business Associates have no option but to implement required specifications, there is a degree of flexibility in how Covered Entities and Business Associates approach addressable specifications.
Covered Entities and Business Associates can assess whether each addressable specification is reasonable and appropriate for the environments in which they operate and either, implement the specification, implement an equivalent alternative, or not implement the specification at all – documenting why it is not reasonable nor appropriate in compliance with 45 CFR § 164.316.
#1 – Security Management Process
The standard relating to the security management process has four required implementation specifications. Covered Entities and Business Associates must conduct risk assessments to identify potential risks and vulnerabilities and use the risk assessments to develop policies and procedures that prevent, detect, contain, and correct security violations.
In addition to implementing security policies to reduce risks and vulnerabilities “to a reasonable and appropriate level”, sanction policies have to be developed for staff that fail to comply with security policies, mechanisms have to be put in place to record system activity (i.e., audit logs, access reports, security incident tracking, etc.) and procedures implemented to review system activity reports.
#2 – Assign Security Responsibility
Covered Entities and Business Associates are required by the Privacy Rule to appoint a Privacy Officer who is a point of contact for all HIPAA compliance queries and patient complaints. Similarly, the Administrative Safeguards require Covered Entities and Business Associates to identify a Security Officer responsible for the development and implementation of security policies and procedures.
In smaller organizations, the Privacy Officer and Security Officer will likely be the same person. In enterprise-scale organizations, the named Security Officer will likely be the head of a team assigned the responsibility for security. Nonetheless, it is a requirement of the Security Rule that an individual is identified as being responsible for the confidentiality, integrity, and availability of ePHI.
#3 – Workforce Security
The standard relating to workforce security requires Covered Entities and Business Associates to implement policies to ensure only members of its workforce with the appropriate authority have access to ePHI and to prevent those without authority from accessing ePHI. How Covered Entities and Business Associates comply with this standard is flexible because the three implementation specifications are all “addressable”:
- Implement procedures for the authorization and/or supervision of workforce members with access to ePHI.
- Implement procedures to determine that each workforce member´s access to ePHI is appropriate.
- Implement procedures to terminate access to ePHI when a member of the workforce leaves or their roles change.
#4 – Information Access Management
This standard requires Covered Entities and Business Associates to implement policies and procedures for access to ePHI which are compliant with aspects of the Privacy Rule – specifically those relating to allowable uses and disclosures, the accounting of disclosures, patients´ rights to request access to their ePHI, and their option to limit who ePHI is shared with.
Health care clearing house are singled out as being required to isolate ePHI from other operations if they are part of a larger organization, but all Covered Entities and Business Associates must develop information access policies and implement procedures for reviewing – and modifying when necessary – a user´s right of access to a workstation, database, program, or other system.
#5 – Security and Awareness Training
Although the requirement to provide security and awareness training to all members of the workforce (including management) has to be complied with, how Covered Entities and Business Associates achieve compliance with this standard is again very flexible. For example, there is no indication of frequently security and awareness training should be provided.
The four addressable requirements in this standard relate to sending periodic security reminders, implementing procedures for guarding against, detecting, and reporting malware, monitoring log-in attempts to identify unsuccessful logins, and password management. Further information about the HIPAA password requirements and password best practices can be found in this article.
#6 – Security Incident Procedures
Although this standard of the Security Rule Administrative Safeguards states Covered Entities and Business Associates must implement policies and procedures to address security incidents, the single implementation specification in this standard requires Covered Entities and Business Associates to identify, respond, and report suspected and known security incidents.
To comply with this standard, Covered Entities and Business Associates also have to develop procedures for containing security incidents, mitigating the harmful effects of security incidents, and documenting each security incident and its outcomes. In any organization with a distributed workforce, it is important that remote and travelling workers are made aware of these procedures.
#7 – Contingency Plan
Originally this standard was developed to address the risks to ePHI attributable to fires, vandalism, system failures, and natural disasters. However, in recent years, the implementation specifications have become more relevant for protecting against ransomware attacks – particularly in the context of ensuring the confidentiality, integrity, and availability of ePHI.
Compliance with this standard consists of a mixture of required and addressable implementation specifications. The required specifications are that Covered Entities and Business Associates establish a data backup plan, a disaster recovery plan, and an emergency mode operation plan; while the addressable specifications relate to testing procedures and application analyses.
#8 – Evaluation
The evaluation standard relates to performing periodic technical and non-technical evaluations of compliance with the previous standards and the impact on environment or operational changes. These evaluations must not only be conducted independently by Covered Entities and Business Associates, but also jointly when a Business Associate provides a service for a Covered Entity.
However, the only implementation specification for this standard requires evaluations to be documented and Business Associate Agreements amended when an environment or operational change occurs. If a subcontractor of a Business Associate experiences an environmental or operational change, assurances that ePHI will continue to be safeguarded must also be documented.
The Security Risk Analysis 45 CFR 164.308 A 1
The order of standards and implementation specifications is no accident as the first requirement of the Administrative Safeguards is to conduct a security risk analysis (45 CFR 164.308 (a) (1)) based on “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the Covered Entity or Business Associate”.
Without a security risk analysis, it is impossible for Covered Entities and Business Associates to develop and implement effective policies and procedures that will protect ePHI from potential risks and vulnerabilities. Furthermore, the security measures implanted to comply with the risk management requirement of the Administrative Safeguards might not be sufficient “to reduce risks and vulnerabilities to a reasonable and appropriate level”.
Noncompliance with 45 CFR § 164.308 is Not an Option
It is important to be aware that all eight standards of the Administrative Safeguards must be complied with in order to be compliant with 45 CFR § 164.308. The failure to (for example) assign a Security Office, conduct security and awareness training, or create a back-up plan are all considered violations of HIPAA even if there is no breach of ePHI attributable to them.