Within the HIPAA Security Rule, we find a division of 7 topics that must be taken into account when we talk about the security of establishments that deal with confidential patient information, one of which is the administrative security safeguards.
In summary, administrative security safeguards require the inclusion of security management, assignment of a responsible person or delegation of responsibility for security to a group of employees, training, and documentation of all decisions. In other words, establishments that handle this information must implement policies and procedures that prevent, detect, contain, and correct security breaches.
Security management has the purpose of implementing security in the work environment, including risk analysis, risk management, penalty policies, and a review of the activity information of the system used.
- Risk analysis: a survey of possible risks and vulnerabilities to the confidentiality, integrity, and viability of the information inserted in electronic media that is maintained by the clinic, office, or other health service providers must be carried out. Determining the likelihood of a risk occurring must also be done within this item.
- Risk management: risk management will tell how each of them will be mitigated through corrective measures, thus being reduced to acceptable levels.
- Sanctions policies: appropriate penalty policies and measures should be created against employees who do not follow the rules in a purposeful and harmful manner. These sanctions should reinforce the importance of keeping patient data safe and secure.
- System activity information: implement routine reviews and check which users are accessing the system and maintain reports on security-related incidents.
The second step to be taken is to appoint and identify a security officer who will develop and implement security policies. This employee will be responsible for making sure that the establishment is complying with all security measures imposed by HIPAA, and although this person is primarily responsible for security, he/she can and should delegate duties to others.
Employee security standards
In the third standard, we have security related to employee access, and it must be ensured that all employees who need access to personal health information can have it properly and that those who should not have this type of access cannot get it. There are three main points, namely: authorization of access, level of access, and termination of access.
Safety notions and training
This measure calls for a routine of safety training and basic safety notions, not only for employees but also for managers and administrators. There may be reminders or security tips, improvements made must be documented, virus protection and protection against other malicious software must be installed and kept up to date, and monitoring of logins must always be checked, just as passwords must not be shared.
Incident procedures and containment plans
Even with all the security measures being taken correctly, incidents can still happen and for that, it is necessary to have containment plans for the most diverse situations, such as theft or misappropriation of data, virus attacks that may interfere with the operation of the chosen software, theft of physical media that may contain patient information, failure to terminate access by former employees or even the loan of devices with access to medical records to people who should not have this type of access.
The containment plan must have measures that address all of these possible situations, with a quick response to emergencies, or even to situations such as fires, vandalism, and natural disasters.
Finally, we have the assessment measures, where clinics, offices, hospitals, and others that deal with patient health information must periodically make a complete assessment of both the technical part of the security systems and the non-technological part.
The standard recommends that the complete assessment of security measures is done at least once every two years, so that technologies and measures are not outdated, and they must also be documented.
Contracts and documents
This topic is very simple, everything must be documented, and if it is necessary to involve third parties in reading and accessing health information, they must sign confidentiality contracts for the security of that information.
Source: HHS - Administrative Safeguards