How Many Administrative Safeguards Are Required by HIPAA? 9 Standards Explained

HIPAA’s Security Rule establishes nine Administrative Safeguard standards that form the governance backbone for ePHI protection. This guide explains each standard, what you must implement, and practical steps to operationalize compliance across your organization.

Implementation specifications are marked “Required” or “Addressable.” Addressable never means optional; you must implement the control as written or document a reasonable, equivalent alternative based on your security risk analysis.

Security Management Process

The Security Management Process is the foundation. You identify risks to ePHI, choose safeguards, monitor their effectiveness, and enforce policy. The outcome is a documented security risk analysis and a prioritized risk management plan.

• Risk analysis (Required): inventory systems handling ePHI, identify threats and vulnerabilities, and estimate likelihood and impact.
• Risk management (Required): apply controls, assign owners, and track remediation to reduce risk to a reasonable and appropriate level.
• Sanction policy (Required): define consequences for workforce violations and apply them consistently.
• Information system activity review (Required): routinely review audit logs, access reports, and security event data.

Align safeguards to risk, maintain audit trails, and prepare evidence you will need during a HIPAA compliance audit.

Assigned Security Responsibility

You must designate a security official with authority to develop, implement, and maintain your security program. This role coordinates policies, risk management, training, incident response, and vendor oversight.

• Security official (Required): appoint a named individual, document responsibilities, and empower decision-making.

Workforce Security

Workforce Security ensures only appropriate personnel can access ePHI and that access is supervised. It governs how you authorize, vet, and offboard users across the employee lifecycle to strengthen ePHI protection.

• Authorization and/or supervision (Addressable): supervise access to ePHI until users are fully authorized; enforce segregation of duties.
• Workforce clearance procedure (Addressable): verify background and role requirements before granting access authorization.
• Termination procedures (Addressable): promptly revoke credentials, collect devices, and remove remote access when roles change or employment ends.

Information Access Management

This standard operationalizes the minimum necessary principle. Define who may create, read, update, or delete ePHI by role, and manage approvals for exceptions and temporary elevation.

• Isolating health care clearinghouse function (Required): when applicable, separate a clearinghouse’s access from other components.
• Access authorization (Addressable): require documented approval for initial and ongoing rights to ePHI.
• Access establishment and modification (Addressable): use request workflows to grant, change, and revoke access based on job changes.

Implement role-based access controls, unique user IDs, and periodic entitlement reviews to keep access authorization aligned with duties.

Security Awareness and Training

Every member of your workforce must be trained to recognize and reduce security risks. Training turns policies into daily habits and complements technical controls.

• Security reminders (Addressable): send short, ongoing updates and just-in-time guidance.
• Protection from malicious software (Addressable): educate users on phishing, attachments, and safe browsing.
• Log-in monitoring (Addressable): explain how suspicious login activity is detected and reported.
• Password management (Addressable): require strong passphrases and, where feasible, multi-factor authentication.

Security Incident Procedures

Incidents happen; what matters is how quickly and effectively you respond. Establish and practice an incident response plan that covers detection, containment, investigation, mitigation, and reporting.

• Response and reporting (Required): document how staff report suspected incidents, who triages them, how you escalate, and how you preserve evidence.

Coordinate with privacy and legal teams to determine breach status and meet notification timelines while protecting ePHI during recovery.

Contingency Plan

Contingency planning prepares you to keep critical operations running and to restore ePHI after disruptions such as ransomware, outages, or natural disasters. Plans must be realistic, tested, and updated.

• Data backup plan (Required): create reliable, tested backups of ePHI with defined retention.
• Disaster recovery plan (Required): detail steps to restore systems and data to normal operations.
• Emergency mode operation plan (Required): explain how you will maintain essential functions that rely on ePHI during an emergency.
• Testing and revision procedures (Addressable): run tabletop and technical exercises, document results, and improve.
• Applications and data criticality analysis (Addressable): rank systems by business impact to set recovery time (RTO) and recovery point (RPO) objectives.

Define alternate communication channels, vendor contacts, and chain-of-command so decisions happen quickly under pressure.

Evaluation

Evaluation confirms your safeguards remain effective over time. Perform an initial and periodic assessment—technical and nontechnical—and reassess whenever significant changes occur.

• Periodic evaluation (Required): measure your program against the Security Rule and your own policies, capture gaps, and remediate. Many organizations treat this as a recurring HIPAA compliance audit.

Trigger evaluations after events like migrating to the cloud, deploying new EHR modules, or restructuring operations.

Business Associate Contracts and Other Arrangements

Vendors that create, receive, maintain, or transmit ePHI are business associates. You must have a written business associate agreement that obligates them to safeguard ePHI and to report incidents promptly.

• Written contract or arrangement (Required): define permitted uses and disclosures, required safeguards, breach reporting, subcontractor flow-down, and termination processes.

Integrate business associate oversight into vendor risk reviews, ensure least-privilege access, and keep executed agreements current and accessible.

In summary, the nine Administrative Safeguards work together: govern risk, assign accountability, control access, train people, respond to incidents, plan for continuity, evaluate performance, and manage vendors. Map each control to your security risk analysis and document decisions to build resilient, auditable ePHI protection and contingency planning.

FAQs.

What are the nine administrative safeguards under HIPAA?

The nine are: Security Management Process; Assigned Security Responsibility; Workforce Security; Information Access Management; Security Awareness and Training; Security Incident Procedures; Contingency Plan; Evaluation; and Business Associate Contracts and Other Arrangements.

How does workforce security protect ePHI?

Workforce Security limits ePHI to appropriate personnel through authorization and supervision, verifies suitability via clearance procedures, and removes access at role change or termination. Together, these steps reduce insider risk and strengthen ePHI protection.

What is required in a HIPAA contingency plan?

A contingency plan must include a Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan (all Required), plus Testing and Revision Procedures and an Applications and Data Criticality Analysis (Addressable). These elements ensure you can restore ePHI and sustain care during disruptions.

How often must HIPAA administrative safeguards be evaluated?

The Security Rule requires periodic evaluation and reassessment whenever significant environmental or operational changes occur. Many organizations evaluate at least annually and after major changes, documenting scope, findings, remediation, and readiness for a HIPAA compliance audit.