HIPAA Administrative and Technical Safeguards: Requirements and Examples

HIPAA’s Security Rule requires covered entities and business associates to protect Electronic Protected Health Information (ePHI) with a balanced mix of administrative, physical, and technical controls. Below, you’ll find the core requirements and practical, real‑world examples you can apply to build a risk‑based, right‑sized security program.

Security Management Process

Purpose

You establish an ongoing program to identify risks to ePHI, reduce those risks to reasonable and appropriate levels, and verify that controls keep working as your environment changes.

Required elements

• Risk analysis: inventory systems handling ePHI, map data flows, and assess threats, vulnerabilities, likelihood, and impact.
• Risk management: select and implement controls based on your analysis; document rationale for accepted risks.
• Sanction policy: define consequences for workforce noncompliance and apply them consistently.
• Information system activity review: routinely review audit logs, access reports, and security event alerts.

Security Incident Procedures

Create and maintain procedures to identify, contain, investigate, mitigate, and document security incidents. Tie escalation paths to your risk thresholds and integrate with breach assessment workflows.

Business Associate Contracts

Execute Business Associate Contracts that require partners to safeguard ePHI, restrict uses and disclosures, report incidents promptly, and flow obligations down to subcontractors. Track agreement status and renewal dates.

Examples in practice

• Run an annual enterprise risk analysis plus trigger‑based reviews after major changes (new EHR, cloud migration, merger).
• Use a risk register to assign owners, due dates, and remediation milestones; revisit accepted risks quarterly.
• Automate log ingestion to a SIEM and review high‑risk reports weekly; spot‑check user access to sensitive records.

Workforce Security

Goal

Ensure the right people have the right level of access to ePHI at the right time—and lose it immediately when they no longer need it.

Core activities

• Authorization and/or supervision: grant access only with manager approval; supervise new or temporary staff handling ePHI.
• Clearance procedures: align access with job role and background checks; minimize privileged accounts.
• Termination procedures: disable accounts, reclaim badges and devices, and document offboarding within defined SLAs.
• Security awareness and training: provide role‑based training on phishing, secure handling of ePHI, and incident reporting.

Information Access Management

Define access based on least privilege and separation of duties. Use standardized roles for job functions, periodic access reviews, and break‑glass procedures for clinical emergencies.

Workstation Use and Security

Publish clear rules for how workstations can be used, where they can be placed, and how they must be secured. Include screen privacy, automatic lock, prohibited storage of ePHI on local drives, and device hardening baselines.

Examples in practice

• Provision access through a ticketed workflow with attestation from managers and data owners.
• Run quarterly user access reviews for EHR, billing, and analytics systems; immediately remediate excess privileges.
• Require short screen‑lock timers, privacy filters in public areas, and training refreshers every 12 months.

Contingency Plan

Required components

• Data backup plan: protect ePHI with versioned, encrypted backups and routine restore tests.
• Disaster recovery plan: document steps to restore systems and data after outages or corruption.
• Emergency mode operation plan: maintain essential operations and access to ePHI during emergencies.
• Testing and revision procedures: exercise the plan, capture lessons learned, and update documents.
• Applications and data criticality analysis: prioritize systems by clinical and business impact to set RTO/RPO targets.

Examples in practice

• Adopt a 3‑2‑1 backup strategy with immutable copies and quarterly restore drills.
• Run tabletop exercises simulating ransomware, data center failure, and third‑party outages.
• Publish downtime procedures for clinical staff, including paper workflows and data reconciliation steps.

Facility Access and Control

Objectives

Protect the physical spaces where ePHI systems reside so only authorized individuals can enter, and so operations can continue during emergencies.

Key controls

• Contingency operations: allow authorized personnel to enter facilities to restore critical services during disruptions.
• Facility security plan: document physical protections such as cameras, alarms, and environmental controls.
• Access control and validation: use badges, biometrics, visitor logs, and escort requirements.
• Maintenance records: keep records of repairs and changes to doors, locks, and security systems.

Examples in practice

• Restrict data center access to a small roster; require dual‑factor entry and video verification.
• Log all visitors, issue temporary badges, and escort them; review logs monthly.
• Position workstations to prevent shoulder‑surfing and secure network closets with unique keys.

Device and Media Controls

Requirements

• Disposal: destroy or render ePHI unreadable on media and devices before disposal.
• Media reuse: securely wipe or reimage devices before reassignment.
• Accountability: track the movement and ownership of devices storing ePHI.
• Data backup and storage: back up ePHI before moving or servicing devices.

Examples in practice

• Maintain an asset inventory with custody logs for laptops, removable media, and biomedical devices.
• Enforce full‑disk encryption, remote wipe, and secure decommissioning (e.g., certified shredding).
• Prohibit ePHI on portable media unless encrypted and approved; require tamper‑evident shipping.

Access Control

Technical requirements

• Unique user identification (required): one identity per user to enable traceable actions.
• Emergency access procedure (required): break‑glass access with auditing and post‑event review.
• Automatic logoff (addressable): session timeouts for applications and VDI.
• Encryption and decryption (addressable): protect ePHI at rest with strong encryption and managed keys.

Audit Controls

Implement Audit Controls that record access and activity across EHRs, databases, endpoints, and networks. Centralize logs, alert on anomalous behavior, and retain records per policy to support investigations and compliance.

Person or Entity Authentication

Verify that a user or system is who they claim to be before granting access. Use MFA for remote and privileged access, certificate‑based service authentication, and strict API keys with rotation policies.

Examples in practice

• Role‑based access for clinicians, billing, and research; privileged access management for admins.
• MFA everywhere feasible; just‑in‑time elevation with approvals for sensitive tasks.
• Quarterly access certifications and automated offboarding tied to HR events.

Transmission Security

Objectives

Protect ePHI when it moves across networks by ensuring confidentiality and integrity, whether inside your LAN, across the internet, or to partners.

Integrity Controls

Apply Integrity Controls such as message authentication codes, digital signatures, and checksums to detect unauthorized alteration of ePHI in transit and between systems.

Encryption in transit

Use modern, validated encryption for all external transmissions and sensitive internal traffic. Examples include TLS for web and APIs, S/MIME or secure portals for email workflows, and IPSec or TLS‑based VPNs for site‑to‑site links.

Examples in practice

• Require TLS for all client and backend services; disable legacy protocols and ciphers.
• Harden secure messaging and patient portal communications with strong certificates and HSTS.
• Validate file integrity on receipt and maintain non‑repudiation for critical data exchanges.

Bringing it all together, you reduce risk by combining policy, technology, and physical safeguards; documenting decisions; training your workforce; testing your plans; and continuously monitoring that controls protecting ePHI remain effective as your environment evolves.

FAQs

What Are HIPAA Administrative Safeguards?

Administrative safeguards are the policies and procedures you put in place to manage security for ePHI. They include the security management process, assigned security responsibility, workforce security, Information Access Management, security awareness and training, Security Incident Procedures, the Contingency Plan, evaluation of controls, and Business Associate Contracts.

How Do Technical Safeguards Protect ePHI?

Technical safeguards apply technology and related processes to control access and protect data. They cover access control (unique IDs, emergency access, auto‑logoff, encryption), Audit Controls, integrity protections, person or entity authentication, and Transmission Security using encryption and Integrity Controls for data in motion.

What Is the Role of a HIPAA Security Officer?

The HIPAA Security Officer leads the security program: overseeing risk analysis and remediation, maintaining policies and procedures, coordinating training, managing incident response, guiding vendor risk and Business Associate Contracts, and reporting on program effectiveness to leadership.

How Are Security Incidents Addressed Under HIPAA?

Under Security Incident Procedures, you must identify and contain incidents, mitigate harmful effects, investigate root causes, and document actions taken. If an incident leads to a breach of unsecured PHI, you assess risk and follow breach notification processes consistent with HIPAA requirements and your policies.