Section §164.308 of the Health Insurance Portability and Accountability Act (HIPAA) covers security management and assigning overall responsibility for security policies to an individual in the organization. This article focuses on the required HIPAA administrative safeguards covered in subsections §164.308(a)(1) and (a)(2) describing policies and responsibilities.

Consultants developing HIPAA administrative safeguardsSection (a)(2) is a simple requirement. The organization must identify an individual as the Security Official who is responsible for the policies and procedures that bring the organization into compliance with the law. The Security Official is responsible for communicating these policies effectively to all workforce members. These policies must also cover the workforce and training requirements discussed in section §164.308 which will be covered in a later article.

In order to be HIPAA compliant, covered entities must implement HIPAA administrative safeguards. The wording of section §164.308(a)(1) says entities must “implement policies and procedures to prevent, detect, contain and correct security violations”. To this end, the entity’s security policies and practices are required to meet criteria for four main areas: risk analysis, risk management, workforce sanctioning, and records review.

Risk Analysis

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”.

This requirement is broad in scope; it covers not only existing software, hardware and practices. Risk analysis is also required whenever new IT systems and services are obtained or employed by the covered entity. The audit protocol requires the auditor to determine whether or not policies and practices exist to perform sufficient risk assessments for all IT assets to determine the level of risk assumed when handling protected health information.

Risk Management

“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Section §164.306(a), in turn, requires that covered entities:

  • Ensure any protected health information that it handles is kept confidential and unmodified
  • Protect any health information against reasonably anticipated threats
  • Protect against reasonably anticipated uses or disclosures of private information
  • Ensure their workforce complies with the policies put in place to protect private health information

In order to comply with the risk management requirement, an auditor will determine whether policies and procedures exist which cover all of the requirements of section §164.306(a) and if these controls sufficiently safeguard protected health information.

Workforce Sanctioning

“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

This stipulation requires a covered entity to have a policy for disciplining workforce members who violate any of the security policies. The disciplinary process may be based on several factors, such as the risk level or the type and volume of information which is exposed. An auditor will verify that this policy exists, is followed, and that it sanctions violators for failing to adhere to the security policies.

Records Review

“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

This requirement is fairly self-explanatory – the described logs need to be maintained for a stated period of time. This must be covered by an organizational policy which states which records are maintained, for what duration, and how frequently they are reviewed.

Changes in the 2013 HIPAA Update

No part of §164.308(a)(1) or §164.308(a)(2) were changed in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.


Sections §164.308(a)(1) and §164.308(a)(2) describe the required HIPAA administrative safeguards necessary for compliance. Covered entities must have policies and procedures for risk analysis and risk management. Processes are also required for dealing with policy violations. The HIPAA legal language does not indicate these policies must be formalized. However, we recommend entities formally document their administrative safeguards and communicate and enforce them throughout the organization. Having formal HIPAA administrative safeguards will greatly increase the chances of passing a HIPAA audit.