HIPAA Administrative Safeguards Checklist for Small Clinics

What the administrative safeguards standard actually requires

Administrative safeguards are the management controls of HIPAA. They live in 45 CFR 164.308 and they describe the human side of compliance: who is in charge, what is documented, how the workforce is trained, what happens after an incident, and how the clinic keeps operating when systems fail.

The standard contains nine core areas:

• Security management process (164.308(a)(1))
• Assigned security responsibility (164.308(a)(2))
• Workforce security (164.308(a)(3))
• Information access management (164.308(a)(4))
• Security awareness and training (164.308(a)(5))
• Security incident procedures (164.308(a)(6))
• Contingency plan (164.308(a)(7))
• Evaluation (164.308(a)(8))
• Business associate contracts and other arrangements (164.308(b))

This is the set of safeguards OCR investigators reach for first when a complaint or breach lands. A risk analysis missing or stale is the single most-cited finding across published resolution agreements.

Specific requirements and CFR citations

Security management process — 164.308(a)(1). Required specifications: risk analysis, risk management, sanction policy, information system activity review.

Assigned security responsibility — 164.308(a)(2). Required as written. Identify the security official responsible for development and implementation of the policies and procedures required.

Workforce security — 164.308(a)(3). Addressable specifications: authorization and supervision, workforce clearance procedure, termination procedures.

Information access management — 164.308(a)(4). Required: isolating health care clearinghouse functions. Addressable: access authorization, access establishment and modification.

Security awareness and training — 164.308(a)(5). Addressable specifications: security reminders, protection from malicious software, log-in monitoring, password management.

Security incident procedures — 164.308(a)(6). Required specification: response and reporting.

Contingency plan — 164.308(a)(7). Required: data backup plan, disaster recovery plan, emergency mode operation plan. Addressable: testing and revision procedures, applications and data criticality analysis.

Evaluation — 164.308(a)(8). Required as written. Periodic technical and nontechnical evaluation of how well policies and procedures meet the requirements of the Security Rule.

Business associate contracts — 164.308(b). Required. A covered entity may permit a business associate to create, receive, maintain, or transmit PHI on its behalf only with satisfactory assurances obtained through a written contract or other arrangement.

Common gaps in small clinics

The administrative safeguards are where small clinics most often confuse “we know who handles this” with “we have it written down.” Patterns we see:

• A Security Officer who exists in conversation but not in any document.
• A risk analysis that was completed once at EHR go-live and never refreshed.
• Termination procedures that disable EHR access but forget the billing portal, the lab interface, and the practice management system.
• Annual training that is run as a single email blast with no completion tracking.
• A contingency plan that consists of “we have backups” with no tested restore.
• BAAs that exist for the EHR vendor but not for the IT consultant, the cleaning company that empties the locked shred bin, or the cloud storage account holding scanned charts.

Numbered checklist

1. A Security Officer is identified in writing, with name, title, and effective date.
2. The Security Officer’s responsibilities are documented and reviewed when the role changes.
3. A current risk analysis exists, updated within the last twelve months or after the most recent material change.
4. Risk analysis identifies threats, vulnerabilities, current controls, likelihood, impact, and residual risk for every system that handles PHI.
5. A risk management plan tracks each identified risk to acceptance, mitigation, or transfer, with owner and due date.
6. A written sanction policy describes the consequences of workforce violations of HIPAA policy.
7. Sanctions have been applied consistently when violations have occurred, with records retained.
8. Information system activity review is scheduled and performed (audit log review, access report review).
9. Workforce clearance procedures verify each role’s appropriate level of access to PHI before access is granted.
10. Authorization and supervision procedures address how new workforce members are granted access and who supervises that access.
11. Termination procedures revoke physical and electronic access within twenty-four hours of the workforce member’s departure.
12. An access authorization, establishment, and modification policy describes how role changes flow through every system holding PHI.
13. Security awareness training is delivered at hire and at least annually, with completion tracked per workforce member.
14. Training covers security reminders, malicious software protection, log-in monitoring, and password management at minimum.
15. Phishing simulations or equivalent reinforcement is run at least annually.
16. A written security incident procedure defines what counts as an incident, who reports it, who investigates, and how it is documented.
17. Security incidents are logged centrally and reviewed by the Security Officer.
18. A breach risk assessment process exists to determine when an incident requires breach notification.
19. A data backup plan describes what is backed up, how often, where it is stored, and who is responsible.
20. A disaster recovery plan describes how systems are restored after a destructive event.
21. An emergency mode operation plan describes how the clinic continues operating during a system outage while protecting PHI.
22. Backup and recovery procedures are tested at least annually with documented results.
23. Applications and data criticality analysis ranks systems by importance to clinic operations.
24. A periodic security evaluation (annual at minimum) reviews compliance with every Security Rule standard.
25. A current inventory of business associates exists, with vendor name, services provided, and BAA status.
26. Every business associate has a signed BAA on file before any PHI is shared.
27. BAAs are reviewed when contracts are renewed or when the vendor’s services materially change.
28. The Security Officer signs the annual evaluation result and presents findings to clinic leadership.

Documentation requirements

The administrative safeguards generate the largest documentation footprint of the three families. At minimum:

• Security Officer designation
• Risk analysis and risk management plan
• Sanction policy
• Information system activity review records
• Workforce security policies (clearance, authorization, termination)
• Information access management policy
• Training plan, materials, and completion records
• Incident response policy and incident log
• Contingency plan with backup, DR, and emergency operations procedures
• Test results from contingency exercises
• Annual evaluation report
• BA inventory and signed BAAs

Retain all of it for six years from creation or last effective date. The next time an investigator asks for the risk analysis, you should be able to produce the current version, every prior version, and the change log.

For the technical and physical companions, see the technical safeguards checklist and the physical safeguards checklist. The PHIGuard HIPAA platform is built around this exact structure: one risk register, one BAA inventory, one training tracker, one audit log.