Administrative safeguards refer to the policies and actions taken at an organizational system level to maintain security for PHI (and e-PHI):
- Security management process should identify risks to PHI and e-PHI and contain an action plan to reduce the vulnerability.
- Security personnel should be identified and made responsible for developing and implementing an action plan.
- Information access management should be used to enforce the least privilege to PHI and e-PHI to minimize those with access, and therefore the potential for access controls to be subverted.
- Workforce training and management, which allows those in contact with PHI and e-PHI to understand their roles and responsibilities for this information.
- Evaluation against the HIPAA security requirements to ensure that changes, where necessary, are rolled out, and otherwise, that compliance assurances can be given.