The 9 Standards for HIPAA’s Administrative Safeguards

HIPAA’s definition on Administrative Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Standard #1: Security Management Process relates to the prevention, detection and correction of any security violations.

  • Risk Analysis – Identify security risks and the probability of occurrence/magnitude.
  • Risk Management – Decide how to address above risks.
  • Sanction Policy – Establish and acknowledge penalties for non-compliance.
  • Information System Activity Review – Regularly review information system activity.

Standard #2: Assigned Security Responsibility requires that a security official be identified and made responsible for development and implementation of policies and procedures.

Standard #3: Workforce Security ensures that all members have appropriate access to ePHI.

  • Authorization and/or Supervision – Determine who should have authority to determine another’s access.
  • Workforce Clearance Procedure – Make sure member access to ePHI is appropriate and not excessive.
  • Termination Procedure – Set procedures for revoking access when an employee leaves the organization (voluntarily or not).

Standard #4: Information Access Management reiterates earlier points relating to restricting access.

  • Isolating Health Care Clearinghouse Functions – Keep ePHI within organization if part of a larger one.
  • Access Authorization – Determine how to grant access, ex: through a designated workstation, program, etc.
  • Access Establishment and Modification – Keep a user’s right of access (permissions) up to date. Adding and removing as needed.

Standard #5: Security Awareness and Training for all members including management to ensure security measures are followed.

  • Security Reminders – Remind the workforce periodically.
  • Protection from Malicious Software – Have software in place to guard, detect, and report malicious software.
  • Log-in Monitoring – Address password management with employees and keep records of login attempts. Note discrepancies and possible fraud.
  • Password Management – Detail procedures for creating, changing, and safeguarding passwords.

Standard #6: Security Incident Procedures in the case of occurrence. This standard expects you to address how you will respond.

Standard #7: Contingency Plan in the event of an emergency or other situation that damages systems containing ePHI.

  • Data Backup Plan – Create procedures to securely create and maintain retrievable exact copies of ePHI.
  • Disaster Recovery Plan – Establish plans to restore lost data so that it’s readily available at all times.
  • Emergency Mode Operation Plan – A contingency plan for the protection of ePHI (in emergency mode).
  • Testing and Revision Procedures – Test contingency plans every once in a while to make sure they work.
  • Applications and Data Criticality Analysis – Which software applications (that store, maintain, or transmit ePHI) take priority in data backup? In a contingency plan you have to decide which items should be restored first.

Standard #8: Evaluation of all of the above. Will the steps you’ve implemented above adequately protect ePHI? Establish effective security procedures, educate your employees on them, and periodically check that your system for this works.

Standard #9: Business Associate Contracts and Other Arrangements. Remember to sign a BAA with anyone handling your ePHI (whether creating, receiving, transmitting, storing, etc) to ensure your Business Associate will appropriately safeguard your information.


Definitely the longest of the 3 standards making up the Security Rule, but congratulations! You just got through 29 pages of implementation standards.