One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.
What are Administrative Safeguards?
According to the Office for Civil Rights, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in the relation to the protection of that information.”
Examples of administrative controls can be things like employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.
In order to satisfy this requirement, your organization must demonstrate and provide evidence that you have the appropriate administrative controls in place and that they are operating effectively. This means that your risk analysis results have been analyzed, and the appropriate administrative controls and security measures have been put in place to effectively address these risks. For more help on determining whether you have the appropriate administrative controls in place, contact us today.