Administrative safeguards make up 50% of the Security Rule's standards. In general, they require documented policies and procedures for day-to-day operations; managing the conduct of employees with PHI; and managing the selection, development, and use of security controls. The specific standards of the administrative safeguards are:
Security management process: Implementing policies and procedures to prevent, detect, contain, and correct security violations.
Assigned security responsibility: A single individual must be designated as having overall responsibility for the security of a CE's EPHI.
Workforce security: Implementing policies and procedures to ensure that employees have only appropriate access to EPHI.
Information access management: Implementing policies and procedures for authorizing access to EPHI.
Security awareness and training: Implementing a security awareness and training program for a CE's entire workforce.
Security incident procedures: Implementing policies and procedures to handle security incidents.
Contingency plan: Implementing policies and procedures for responding to an emergency or other occurrence that damages systems containing EPHI.
Evaluation: Performing periodic technical and non-technical evaluations that determine the extent to which a CE's security policies and procedures meet the ongoing requirements of the Security Rule.
Business associate contracts and other arrangements: A CE may permit a business associate to create, receive, maintain, or transmit EPHI on the CE's behalf only if the CE has satisfactory assurance that the business associate will appropriately safeguard the data.