Does HIPAA Require Administrative Safeguards? Yes—Here’s the Full List Under the Security Rule

Yes. The HIPAA Security Rule requires administrative safeguards to protect electronic protected health information (ePHI) as set out in 45 CFR § 164.308. These are the policy, process, and oversight measures that make your technical and physical controls effective and auditable.

Implementation specifications are labeled Required or Addressable. “Addressable” does not mean optional—you must assess reasonableness, implement as appropriate, and document your rationale if you use alternatives. Below is the complete list, with practical guidance to help you operationalize each safeguard.

Security Management Process

This safeguard establishes the program that identifies and reduces risks to ePHI. It anchors your security governance and drives continuous improvement through documented decisions and outcomes.

Implementation specifications

• Risk analysis (Required): Identify where ePHI resides and flows, the threats and vulnerabilities affecting it, and the likelihood and impact of adverse events. Produce a current, documented risk register and prioritize remediation.
• Risk management (Required): Implement controls based on risk, assign owners and deadlines, and track residual risk. Integrate results into budgets, projects, and vendor management.
• Sanction policy (Required): Define graduated, consistently applied consequences for workforce violations, tie them to policy, and retain evidence of actions taken.
• Information system activity review (Required): Review audit logs, access reports, and security event logs routinely; investigate anomalies; and document outcomes.

How to operationalize

• Refresh risk analysis periodically and whenever technology, vendors, or operations change.
• Map risks to specific safeguards and verify effectiveness with metrics and testing.

Assigned Security Responsibility

You must make a clear security official designation. Name a single individual with authority to develop, implement, and enforce your security program for ePHI and to coordinate with privacy and compliance leaders.

• Publish the official’s role, responsibilities, and reporting lines.
• Empower the official to approve controls, oversee training, and steer security incident response.

Workforce Security

Workforce security ensures people have the right level of access—and only for as long as needed. Strong workforce access controls prevent inappropriate use or disclosure of ePHI.

Implementation specifications

• Authorization and/or supervision (Addressable): Supervise new or high-risk roles; require manager validation for access to ePHI systems.
• Workforce clearance procedure (Addressable): Screen personnel appropriate to role sensitivity; document determinations.
• Termination procedures (Addressable): Promptly remove access, recover devices and badges, and preserve logs upon separation.

Operational tips

• Use joiner–mover–leaver workflows and role-based access to keep privileges aligned with job duties.
• Re-certify user access to ePHI on a defined cadence.

Information Access Management

This safeguard governs how you grant, modify, and revoke access to ePHI based on the minimum necessary principle. It connects policy decisions to day-to-day provisioning.

Implementation specifications

• Isolate health care clearinghouse function (Required, if applicable): If you operate a clearinghouse or a clearinghouse function within a larger entity, isolate it to prevent unauthorized access.
• Access authorization (Addressable): Define who can approve access to ePHI and the criteria used.
• Access establishment and modification (Addressable): Maintain procedures for creating, changing, and reviewing access aligned to role definitions.

Security Awareness and Training

Awareness and training make your policies actionable. Tailor content to roles and reinforce key behaviors that protect ePHI.

Implementation specifications

• Security reminders (Addressable): Send periodic updates and just-in-time prompts.
• Protection from malicious software (Addressable): Train users to recognize malware and support technical controls with behavior.
• Log-in monitoring (Addressable): Educate users on suspicious log-in patterns and reporting procedures.
• Password management (Addressable): Provide guidance on strong secrets and, where used, password tools or multi-factor policies.

Security Incident Procedures

Establish a documented process for security incident response covering detection through recovery. The goal is to limit harm to ePHI and restore normal operations quickly.

Implementation specification

• Response and reporting (Required): Identify, triage, contain, eradicate, and recover; mitigate harmful effects; document each incident and the outcomes; and escalate per your governance. Integrate lessons learned into training and controls.

Contingency Plan

Contingency planning prepares you to keep critical operations running and recover ePHI after disruptions such as ransomware, system failures, or disasters.

Implementation specifications

• Data backup plan (Required): Perform reliable, tested backups of ePHI with secure storage and documented retention.
• Disaster recovery plan (Required): Define steps to restore systems that store or process ePHI to a known good state.
• Emergency mode operation plan (Required): Maintain procedures to sustain critical functions that rely on ePHI during an emergency.
• Testing and revision procedures (Addressable): Exercise plans regularly and update based on results.
• Applications and data criticality analysis (Addressable): Rank systems and datasets to set recovery time and point objectives.

Evaluation

Conduct periodic technical and nontechnical evaluations to verify that your policies, procedures, and controls meet the Security Rule and continue to protect ePHI as your environment changes.

• Schedule evaluations after significant changes (e.g., new EHR, cloud migrations, mergers) and document findings with remediation plans.

Business Associate Contracts and Other Arrangements

When vendors create, receive, maintain, or transmit ePHI on your behalf, you must obtain satisfactory assurances—typically via a business associate agreement—demonstrating business associate compliance with the Security Rule.

Implementation specification

• Written contract or other arrangement (Required): Define permitted uses and disclosures, safeguard obligations, breach reporting, subcontractor flow-downs, termination rights, and return or destruction of ePHI.

In practice, treat vendor risk management as an extension of your program: perform due diligence, validate controls tied to risk analysis, and monitor performance over time.

Taken together, these administrative safeguards in 45 CFR § 164.308 give you a comprehensive framework: analyze and manage risk, assign accountable leadership, enforce workforce and access controls, train continuously, execute security incident response, invest in contingency planning, evaluate routinely, and ensure partners uphold the same standards.

FAQs.

What are administrative safeguards under HIPAA?

They are the policies and procedures that manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage workforce conduct. In short, they are the administrative foundation that makes your technical and physical controls effective.

How does HIPAA define workforce security?

Workforce security requires you to ensure that all workforce members have appropriate access to ePHI—and that those who should not have access are prevented from obtaining it—through authorization or supervision, workforce clearance, and termination procedures.

What procedures are required for security incident response?

You must have documented processes to identify, respond to, mitigate, and report security incidents, and to document outcomes. This includes defined roles, escalation paths, evidence preservation, communication steps, and post-incident lessons learned.

Are contingency plans mandatory under HIPAA?

Yes. The Security Rule mandates a contingency plan comprising a data backup plan, disaster recovery plan, and emergency mode operation plan (all Required), plus testing and revision procedures and an applications and data criticality analysis (both Addressable but expected to be implemented or justified).