What Are HIPAA’s Administrative Safeguards?
The HIPAA Administrative Saafeguards You Need to Stay On Top Of
Health Insurance Portability and Accountability Act is a law designed to protect individuals’ health information privacy. The administrative safeguards section, in particular, outlines essential security practices for organizations that process health information electronically.
This blog post will explain HIPAA’s administrative safeguards and how they can help you protect sensitive information.
What Is HIPAA?
HIPAA protects individual’s health information by setting national standards for the protection of electronic health information, including:
- The use and disclosure of individually identifiable health information;
- The rights of individuals concerning their health information; and
- The responsibilities of covered entities (health plans, healthcare providers, etc.); and
- Enforcement of these standards.
As you can see, HIPAA has several important privacy protections that directly affect employers and employees.
The Administrative Safeguards Section
Administrative safeguard information is designed to help organizations comply with their responsibilities under HIPAA. Specifically, it:
- Defines administrative safeguards;
- Outlines the responsibilities of covered entities; and
- Gives guidance on the implementation of administrative safeguards by covered entities.
What Are Administrative Safeguards?
The HIPAA Privacy Rule defines an administrative safeguard as any “administrative control” that a covered entity uses to “effectively protect electronically protected health information” (ePHI). Therefore, a covered entity should implement an administrative safeguard, which is an effective way to protect ePHI.
As discussed in the previous section, the HIPAA Privacy Rule lists specific administrative safeguards that a covered entity should use to protect ePHI. However, not all of these apply to employers.
Employers must implement certain administrative safeguards:Encryption
Organizations must encrypt sensitive information sent over the Internet or transmitted through open networks (e.g., fax machines). Encrypting information can help prevent unauthorized people from accessing it if it is intercepted.
Administrative Safeguards
In addition, covered entities must implement administrative safeguards that are reasonable and appropriate for their organization and their environment, as well as the nature of the ePHI they process, store or transmit. For example, an employer could delegate additional administrative safeguards to employees with different roles to meet the standard.
Contingency Plans
A contingency plan is a set of security policies and procedures that organizations develop to protect ePHI if unexpected events disrupt their operations. For example, an employer might have a contingency plan to contain the damage caused if someone tries to break into their facility.
Business Associate Agreement
A business associate agreement (BAA) is a contract with a third party enabling the joint processing of ePHI by the first party and the third party. A BAA requires the third party to honor the terms of a privacy agreement between that organization and an individual.
When they sign the BAA, covered entities will indicate to their business associates that they have no liability for complying with HIPAA’s requirements.
Technical Safeguards
Some administrative safeguards may not be feasible within an organization’s environment. In this case, covered entities may use technical safeguards as an alternative.
Training and Security Awareness Program
Covered entities must train their workforce on the organization’s security standards and procedures and periodically retrain them (i.e., at least annually). This can help ensure that employees know what to do to protect ePHI. It is also essential that they are held accountable for their actions while they are working with ePHI.
No Delegation
Lastly, employers must not delegate responsibilities to their employees. That means that employees cannot decide which administrative safeguards to use when handling ePHI.
How Do I Implement Administrative Safeguards?
Implementing administrative safeguards involves doing three things:
- Choosing which safeguards to use
- Control of who handles your information
- Putting them into action
A covered entity must implement safeguards appropriate for its needs and environment, which cannot be determined in advance.
Administrative safeguards are not optional; they must be followed across all organizations. Your workforce must understand why the safeguards were implemented and how to implement them. Otherwise, security risks could persist at an unacceptable level.
Applying administrative safeguards is a complex and challenging task. To learn more, look at the HHS guidelines.
The keys to success are keeping ePHI secure and implementing the safeguards you identified in Step 1.
How to Dispose of Data Properly
HIPAA does not mandate disposal, such as shredding documents or encrypting hard drives. However, employers may want to consider the following procedures when disposing of ePHI:
Review the “Handling Paperwork for Destruction and Disposal of Protected Health Information” (HHS Guideline) to learn about the different disposition procedures.
Determine which dispositions will be appropriate for your organization; consider, for example:
Conduct an assessment to determine when it is appropriate to dispose of ePHI
Designate employees in your workforce who will carry out the disposition procedure(s).
Hold a training session to ensure that all your employees know when they are responsible for ePHI.
Monitor your employees by conducting audits
Store ePHI securely and dispose of it regularly
Whenever possible, directly dispose of ePHI rather than passing it along to another organization; for example, if you have an incinerator on-site, you can dispose of the ePHI yourself.
As a last resort, store ePHI electronically and maintain it for as long as you need it (e.g., if the IRS calls you with an audit)
Conclusion
In conclusion, HIPAA’s administrative safeguards are a set of policies that must be put in place for covered entities and business associates to protect personal health information.
These policies include assigning individuals responsible for their organization’s compliance with HIPAA and developing risk assessments for the organization. If you found this HIPAA guide helpful, check out our blog now for more content like this.