What are administrative, physical and technical safeguards?

Administrative, physical, and technical safeguards, outlined in the HIPAA Security Rule, provide healthcare organizations with the guidance needed to protect electronic patient data.  

Related: A guide to HIPAA's rules

Administrative Safeguards

What are administrative safeguards?

HIPAA defines administrative safeguards as, “...administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's or business associate's workforce about the protection of that information.”

Examples of administrative safeguards

• Designated security officers
• Security risk Management
• Security incident response
• Employee background checks
• Password policies
• Data classification and handling

Implementation

1. Develop and enforce security policies and procedures.
2. Designate a security officer or team responsible for security oversight.
3. Conduct regular risk assessments to identify vulnerabilities and risks.
4. Train employees on security awareness and their roles in safeguarding information.
5. Implement access controls and user management processes.
6. Establish an incident response and business continuity plans.
7. Conduct regular audits and reviews of security controls.
8. Monitor and manage third-party vendors and business associates.
9. Document security incidents and maintain an incident response process.
10. Regularly review and update security policies and procedures.

Physical Safeguards

What are physical safeguards?

Physical safeguards are, “physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”  These safeguards prevent unauthorized access, theft, damage, or loss of physical assets that could compromise the security data. 

Examples of physical safeguards

• Perimeter Security
• Visitor Management
• Alarm Systems and Intrusion Detection
• Secure Storage for Equipment
• Fire Suppression Systems
• Physical Barriers for Data Cables

Implementation

1. Control physical access to facilities and sensitive areas.
2. Implement secure facility design and environmental controls.
3. Utilize video surveillance and monitoring systems.
4. Implement secure storage for physical media and equipment.
5. Manage and track the disposal of sensitive information and equipment.
6. Restrict access to server rooms and network infrastructure.
7. Implement procedures for managing visitors and unauthorized individuals.
8. Conduct background checks for employees with physical access.

Technical Safeguards

What are technical safeguards?

Technical safeguards, “means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” These measures help ensure the security and protection of electronic information.

Examples of technical safeguards

• Firewalls
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
• Data Encryption
• Access Control Systems
• Secure Authentication
• Data Loss Prevention (DLP)

Implementation

1. Control physical access to facilities and sensitive areas.
2. Implement secure facility design and environmental controls.
3. Utilize video surveillance and monitoring systems.
4. Implement secure storage for physical media and equipment.
5. Manage and track the disposal of sensitive information and equipment.
6. Restrict access to server rooms and network infrastructure.
7. Make use of HIPAA compliant communication like HIPAA compliant email.
8. Conduct background checks for employees with physical access.

Applying safeguards in organizations of different sizes

Small Organizations

• Limited resources and budgets may prioritize essential safeguards.
• Simplified security policies and procedures due to smaller operations.
• Reliance on outsourced services for technical safeguards and data storage.

Medium-Sized Organizations

• Increased complexity with diverse systems and larger employee populations.
• Dedicated security roles or teams responsible for safeguard implementation.
• Flexibility to adopt more advanced technical safeguards tailored to their needs.

Large Organizations

• Distributed operations requiring consistent safeguard implementation across locations.
• Comprehensive security policies and procedures addressing complex operations.
• Advanced technologies like SIEM, IDS, and SOCs for enhanced security.

Related: What is the HIPAA Security Rule?

FAQs

What is the Security Rule?

The Security Rule is a set of standards under HIPAA that requires the protection of electronic protected health information (ePHI). 

Who needs to implement these HIPAA safeguards?

All covered entities under HIPAA, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, must implement these safeguards.

How often should these safeguards be reviewed?

Organizations should regularly review and update their safeguards to ensure ongoing compliance with HIPAA and to adapt to new security threats or changes in technology.