HIPAA Administrative Safeguard Requirements: Security Rule Checklist

Use this HIPAA Administrative Safeguard Requirements: Security Rule Checklist to structure policies, assign accountability, and verify that your program protects ePHI. Each section below explains the objective, provides an actionable checklist, and lists evidence you should maintain for audits.

Security Management Process

Objective

Establish a risk-based program that prevents, detects, and corrects security issues affecting ePHI. This includes Risk Analysis, risk management, sanctions, and ongoing activity review.

Checklist

• Perform an enterprise-wide Risk Analysis that inventories systems with ePHI, evaluates threats, vulnerabilities, likelihood, and impact.
• Document a risk management plan with prioritized safeguards, owners, budgets, and target completion dates.
• Define a sanction policy and apply it consistently for policy violations.
• Implement information system activity review: audit logs, alerts, exception reporting, and regular reviews.
• Track acceptance of residual risks with executive sign-off and review cycles.

Evidence to Maintain

• Current risk register, treatment plans, and completion proofs.
• Sanction decisions and outcomes mapped to policy.
• Log review records, escalation tickets, and remediation reports.

Assigned Security Responsibility

Objective

Designate a single qualified security official to develop, implement, and enforce the Security Rule program across the organization.

Checklist

• Appoint a security official with written authority and clear decision rights.
• Publish a charter that defines responsibilities, reporting lines, and governance forums.
• Establish cross-functional committees (IT, privacy, HR, legal, clinical) with regular meetings and minutes.
• Set measurable objectives and KPIs for the security program.

Evidence to Maintain

• Appointment letter, job description, and organizational chart.
• Committee rosters, agendas, and action logs.
• Annual plans, KPIs, and performance reviews tied to program outcomes.

Workforce Security

Objective

Ensure that only appropriate personnel can access ePHI and that access changes promptly as roles change. Emphasize Authorization and/or Supervision, Workforce Clearance Procedures, and Termination Procedures.

Checklist

• Define role-based access profiles and least-privilege standards for each job function.
• Implement Workforce Clearance Procedures: background checks, license verification, and training completion before access.
• Enforce onboarding and transfer workflows that require managerial approval and documented justification.
• Execute access termination procedures within defined timelines for exits or role changes.
• Monitor for orphaned, shared, or dormant accounts and remediate quickly.

Evidence to Maintain

• Access approval records linked to role profiles and supervisors.
• Pre-employment screening results and training attestations.
• Termination tickets showing access removal timestamps and system confirmations.

Information Access Management

Objective

Control how ePHI access is authorized, established, modified, and revoked. Build standardized ePHI Access Authorization workflows for consistency and auditability.

Checklist

• Define an access authorization policy specifying who approves ePHI access and under what criteria.
• Use standard request forms that capture purpose, minimum necessary justification, and data scope.
• Implement access establishment and modification procedures with automated provisioning and periodic recertifications.
• Enable emergency (“break-glass”) access with heightened monitoring and after-action review.
• Document minimum necessary rules for routine, incidental, and special-case access.

Evidence to Maintain

• Access control matrices, approval logs, and recertification results.
• Break-glass justifications, alerts, and investigation notes.
• Change records mapping role updates to system entitlements.

Security Awareness and Training

Objective

Equip your workforce to recognize and prevent security threats through continuous training and targeted reinforcement.

Checklist

• Provide onboarding training covering HIPAA administrative safeguards and organization-specific policies.
• Deliver periodic security reminders and role-based refreshers at least annually.
• Run phishing simulations and just-in-time microlearning for observed risks.
• Teach secure authentication, password management, and device hygiene practices.
• Cover malware protection, log-in monitoring, data handling, and incident reporting channels.

Evidence to Maintain

• Training curriculum, completion records, and quiz results.
• Phishing metrics, trend analyses, and corrective actions.
• Attendance logs for role-specific sessions and policy acknowledgments.

Security Incident Procedures

Objective

Create and practice a repeatable Security Incident Response process that identifies, contains, eradicates, and recovers from security incidents involving ePHI.

Checklist

• Publish incident definitions, severity levels, and decision trees for escalation.
• Stand up an on-call response team with documented roles, runbooks, and communication templates.
• Integrate detection sources: SIEM alerts, EHR logs, DLP, endpoint alerts, and user reports.
• Maintain forensics procedures, chain-of-custody steps, and evidence preservation guidelines.
• Include breach assessment workflows and coordinate with privacy for notification obligations.
• Conduct post-incident reviews and track corrective actions to closure.

Evidence to Maintain

• Incident tickets, timelines, and executive summaries.
• Forensics notes, indicators of compromise, and recovery validations.
• Lessons learned, assigned owners, and remediation proofs.

Contingency Plan

Objective

Ensure continuity of operations and timely restoration of ePHI through comprehensive planning, testing, and improvement. Central components include Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan.

Checklist

• Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.
• Implement automated, verifiable backups with encryption and offsite retention.
• Develop a Disaster Recovery Plan with step-by-step restoration, roles, and vendor contacts.
• Establish Emergency Mode Operation procedures to maintain critical clinical workflows.
• Test plans via tabletop exercises and functional failover; update after each test.
• Perform applications and data criticality analyses and prioritize accordingly.

Evidence to Maintain

• Backup logs, test restores, and exception reports.
• DR/BCP test results, after-action items, and improvement roadmaps.
• Emergency procedures, call trees, and contact rosters.

Evaluation

Objective

Regularly assess how well your safeguards meet the Security Rule. Conduct both initial and periodic evaluations and document Security Policy Evaluation outcomes.

Checklist

• Schedule periodic evaluations and trigger-based reviews after major changes or incidents.
• Include administrative, physical, and technical controls; verify policy-to-practice alignment.
• Benchmark against frameworks you adopt and track gaps to remediation.
• Report results to leadership and incorporate findings into the risk management plan.

Evidence to Maintain

• Evaluation plans, test procedures, and results.
• Gap analyses, risk entries, and remediation tracking.
• Management approvals and updated policies or standards.

Business Associate Contracts and Other Arrangements

Objective

Ensure third parties that create, receive, maintain, or transmit ePHI implement safeguards via Business Associate Agreement Provisions and appropriate oversight.

Checklist

• Identify all business associates and document data flows, services, and ePHI types involved.
• Execute Business Associate Agreements with provisions for permitted uses, safeguards, reporting, subcontractor flow-downs, and termination.
• Perform due diligence: security questionnaires, certifications, and evidence reviews.
• Define monitoring: right-to-audit, breach notification timelines, and corrective action requirements.
• Maintain “other arrangements” documentation where BAAs are not applicable but safeguards are required.

Evidence to Maintain

• Signed agreements, amendment history, and mapping to services.
• Assessment artifacts, remediation plans, and ongoing monitoring reports.
• Termination letters, data return or destruction confirmations, and exit checklists.

Conclusion

By executing this checklist—grounded in Risk Analysis, controlled ePHI Access Authorization, disciplined Security Incident Response, tested Disaster Recovery Plan elements, routine Security Policy Evaluation, and robust Business Associate Agreement Provisions—you create a defensible, auditable HIPAA Security Rule program that protects patient trust and supports resilient operations.

FAQs

What are the key administrative safeguards under HIPAA?

The key safeguards are the Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, and Business Associate Contracts and Other Arrangements. Together, they establish policies, accountability, training, access controls, response, continuity, oversight, and third-party governance for ePHI.

How often should security evaluations be conducted?

Perform a baseline evaluation when you implement your program, then conduct periodic evaluations at least annually and after significant changes, incidents, mergers, new systems, or major process updates. Document scope, methods, findings, and remediation plans each time.

What procedures must be in place for workforce access termination?

Require immediate deprovisioning upon separation or role change, disable accounts across all systems with ePHI, retrieve badges and devices, revoke remote access, and document completion timestamps. Keep termination tickets, system logs, and confirmations as audit evidence.

How do business associate contracts protect ePHI?

Business Associate Agreements specify permitted uses of ePHI, require appropriate safeguards, mandate incident and breach reporting, flow down obligations to subcontractors, and define termination and data return or destruction. These provisions create enforceable controls and accountability for third parties handling your ePHI.