Awareness article

HIPAA Administrative Safeguards: What Clinics Must Do

The eight standards of HIPAA administrative safeguards under 45 CFR 164.308, which are required versus addressable, and what small medical practices need to document and implement.

Short answer

Administrative safeguards are the policies, procedures, and management decisions that protect ePHI and govern how the clinic trains and manages its workforce around security. They are the largest category in the HIPAA Security Rule, covering eight standards across 45 CFR 164.308. A small clinic cannot satisfy the Security Rule by installing technical controls alone — the administrative framework is what gives those controls meaning.

Administrative safeguards are the organizational and policy backbone of the HIPAA Security Rule. They sit at 45 CFR 164.308 and govern how the clinic manages its security program, trains its staff, and responds when things go wrong.

The three Security Rule categories — administrative, physical, and technical — are interdependent. Technical controls (hipaa-technical-safeguards) and physical measures (hipaa-physical-safeguards) operate within the framework that administrative safeguards establish.

The eight standards

Security management process (164.308(a)(1))

This standard has four implementation specifications, all of which are required under § 164.308(a)(1): risk analysis, risk management, sanction policy, and information system activity review. All four must be implemented — none is addressable.

The risk analysis is the foundation of the entire Security Rule compliance program. It must identify reasonably anticipated threats to ePHI, assess the probability and impact of those threats, and document the current controls in place. The risk management specification requires implementing security measures to reduce the risks identified in the analysis to a reasonable and appropriate level.

Assigned security responsibility (164.308(a)(2))

Required. The clinic must designate a Security Officer responsible for developing and implementing security policies and procedures. This person must be identified by name or role in clinic documentation.

Workforce security (164.308(a)(3))

Required standard, addressable specifications. The clinic must implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI, and to prevent unauthorized access. Implementation specifications address authorization, supervision, and workforce clearance procedures. The practical minimum is a documented process for granting and revoking system access when staff are hired or separated.

Information access management (164.308(a)(4))

Required standard. Includes isolating healthcare clearinghouse functions from other components of the organization (required), and access authorization and modification procedures (addressable). For most small clinics, this standard means having a documented method for approving access to systems containing ePHI and for promptly removing access when it is no longer needed.

Security awareness and training (164.308(a)(5))

Required standard, all addressable implementation specifications. The specifications cover security reminders, protection from malicious software, log-in monitoring, and password management. All four are addressable, meaning the clinic must implement them or document equivalent alternatives. Most clinics should implement all four. Training that is documented is defensible; training that happened informally is not.

Security incident procedures (164.308(a)(6))

Required. The clinic must implement policies and procedures to address security incidents — including a process for identifying, responding to, mitigating, and documenting security incidents and their outcomes.

Contingency plan (164.308(a)(7))

Required standard with five implementation specifications. Three are required: data backup plan, disaster recovery plan, and emergency mode operation plan. Two are addressable: testing and revision procedures, and applications and data criticality analysis. The contingency plan is often where small clinics have the biggest gap — particularly the disaster recovery and emergency mode plans, which require more thought than the data backup plan alone.

For more on what clinics should document and keep: HIPAA contingency planning.

Evaluation (164.308(a)(8))

Required. The clinic must perform periodic technical and non-technical evaluations of its security measures in response to environmental or operational changes affecting ePHI. This is the standard that requires the annual review most compliance frameworks recommend. Changes that should trigger an evaluation include: new EHR systems, new PHI-bearing software, office moves, changes in vendor relationships, or a security incident.

What to do first

If your clinic does not have a documented risk analysis or a named Security Officer, those are the two required items with no acceptable alternative. Start there.

After those two, a workforce training log and a documented access provisioning and deprovisioning process cover the specifications OCR most commonly cites in small-provider enforcement actions.

PHIGuard tracks administrative safeguard tasks, policy acknowledgements, and security incident records in one place. Plans start at $99 per clinic, with a BAA at every tier. See HIPAA compliance for what the compliance program covers.

Compliance Operations

Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.

The Anti-Kickback Statute: What Clinic Owners Need to Know

Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...

California's CMIA: When State Law Is Stricter Than HIPAA

California CMIA vs HIPAA: key differences in scope, enforcement, and liability. California clinics must comply with both — the stricter standard controls.

Sources

FAQ

Questions related to this topic

Does a small clinic need a full-time Security Officer?

No. HIPAA requires that responsibility for developing and implementing security policies be assigned to a specific individual, but that person can hold other roles in the clinic. In a practice with three to ten staff, the office manager or practice administrator typically serves as Security Officer. The key requirement is that someone is formally designated and that the designation is documented.

How often does the risk analysis need to be updated?

HIPAA requires an ongoing risk analysis — not a one-time event. HHS guidance states that the risk analysis must be reviewed and updated in response to environmental or operational changes that affect ePHI. Most clinics conduct a formal review at least annually and update it when they add new systems, hire new staff with system access, change vendors, or experience a security incident.

What is the contingency plan standard under administrative safeguards?

The contingency plan standard at 45 CFR 164.308(a)(7) requires documented procedures for responding to emergencies that damage systems containing ePHI. It has five implementation specifications: data backup plan (required), disaster recovery plan (required), emergency mode operation plan (required), testing and revision procedures (addressable), and applications and data criticality analysis (addressable).

What happens if a clinic has no workforce training on HIPAA security?

Absent training documentation, OCR treats workforce knowledge gaps as the clinic's responsibility. In enforcement actions, OCR regularly cites missing or inadequate workforce training as an independent finding. Training does not have to be elaborate, but it must be documented — who attended, when, and what was covered.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.