HIPAA

HIPAA Administrative Safeguards: What They Require and Where Small Practices Fall Short

← All guides

HIPAA Administrative Safeguards: What They Require and Where Small Practices Fall Short

The HIPAA Security Rule applies to every covered entity and business associate that handles electronic protected health information. It is not optional and it is not satisfied by good intentions. This series walks through each safeguard category using findings from a gap assessment of a small healthcare practice — Meridian Health Partners, a fictional 22-person primary care practice used throughout this series as a working example. The gaps Meridian had are common. The consequences of leaving them unaddressed are not theoretical.

Meridian recently received a patient complaint alleging that a staff member had accessed records without clinical justification. The incident was reported to the Privacy Officer but was never evaluated under the Breach Notification Rule. Separately, the practice manager identified three former employees with active athenahealth credentials 60 days after their termination. The physician-owner engaged NAXS Labs to conduct a HIPAA Security Rule gap assessment and produce a remediation roadmap ahead of a scheduled state health department visit. What follows are the findings.

This post covers the Administrative Safeguards under 45 CFR 164.308 — the largest and most foundational section of the Security Rule. Eight required standards. Meridian was non-compliant or partially compliant on all eight.

What the Administrative Safeguards Require

The Administrative Safeguards are the management and policy controls that govern how a covered entity protects ePHI. They cover risk analysis, security officer designation, workforce access management, security awareness training, incident response, contingency planning, and periodic evaluation. They are administrative in name — not in importance. OCR enforcement actions consistently cite administrative safeguard failures as primary findings.

Each standard below includes the regulatory citation, what it requires, and what Meridian’s assessment found.

164.308(a)(1) — Risk Analysis and Risk Management

F-01
Risk Analysis
45 CFR 164.308(a)(1)(ii)(A)
Non-Compliant High Risk

Meridian’s most recent risk analysis was conducted approximately five years prior by a former office manager. No written report was produced. No findings were documented. No risk management process followed. Current leadership had no knowledge of its scope, methodology, or conclusions.

The result: the organization had no documented awareness of where ePHI resided, what threats existed, or what level of risk was present. Every downstream security decision — access controls, contingency planning, training scope — was made without a documented risk foundation.

A risk analysis must be current, thorough, and documented. An undocumented effort from five years ago conducted by someone no longer at the organization does not satisfy 164.308(a)(1)(ii)(A) under any interpretation of the standard. If you need a foundation before building yours, start with Understanding Risks and Know Your Threats — both cover the inputs the Security Rule expects.

The risk analysis is not just one finding among many — it is a prerequisite to satisfying almost every other requirement in the Security Rule. You cannot implement appropriate access controls without knowing what you are protecting. You cannot train your workforce on relevant threats without identifying them. You cannot build a contingency plan without knowing your critical systems and data locations. Meridian’s eight administrative safeguard findings are, in large part, downstream consequences of never having done this work.

164.308(a)(2) — Assigned Security Responsibility

F-02
Assigned Security Officer
45 CFR 164.308(a)(2)
Non-Compliant High Risk

Meridian’s practice manager served informally as both the Privacy Officer and the Security Officer without a written designation for either distinct role. The Privacy Officer and Security Officer are separate required designations. The Privacy Officer governs use and disclosure of PHI. The Security Officer is responsible for developing and implementing security policies and procedures for ePHI.

The individual holding both informal roles had no documented security-specific training and no independent authority to enforce security decisions. Enforcement authority sat with the physician-owner, creating a bottleneck for any remediation action.

Without a formally designated, empowered Security Officer there is no accountable party for implementing findings from an assessment like this one. The designation is not bureaucratic housekeeping — it determines who owns the program and who answers to OCR when something goes wrong. The case for why named ownership and executive authority matter is covered in Governance, Security Goals, and Privacy.

164.308(a)(3) — Workforce Security

F-03
Workforce Security
45 CFR 164.308(a)(3)
Non-Compliant High Risk

Access to athenahealth was provisioned informally based on role assumption with no written authorization procedure. No clearance process existed to verify access was appropriate before provisioning. Termination procedures included no IT offboarding step — access revocation was not assigned to a responsible party and was not tracked.

At the time of assessment, active athenahealth credentials were confirmed for multiple former employees. The duration of that unauthorized access exposure was unknown.

This is one of the most common and most avoidable HIPAA findings. A former employee with active EHR credentials is not a hypothetical risk — it is an active one.

164.308(a)(4) — Information Access Management

F-04
Information Access Management
45 CFR 164.308(a)(4)(ii)(B)
Non-Compliant High Risk

No written access request form, approval workflow, or provisioning checklist existed. Access was provisioned on verbal direction from the physician-owner at the time of hire. No record of approval was retained. When workforce members changed roles, permissions were additive — access accumulated without review or adjustment.

The organization could not produce documentation showing that any specific user’s access level had been reviewed and authorized by an accountable party. That is both a compliance failure and an audit trail failure. If OCR asks who authorized access to a specific record, “the doctor told me to add them when they started” is not a defensible answer.

164.308(a)(5) — Security Awareness and Training

F-05
Security Awareness and Training
45 CFR 164.308(a)(5)
Partial Medium Risk

Meridian provided HIPAA Privacy-focused training at hire through its HR platform. That satisfies the initial training requirement. The gap is in what happens after day one.

No recurring annual training had been delivered to existing workforce members. The training content addressed Privacy Rule obligations but not Security Rule threats — phishing, ransomware, malicious software, log-in monitoring. Workforce members had received no training on the threat categories most likely to result in a breach.

Partial credit here does not reduce the exposure. A workforce that knows what PHI is but does not know how to recognize a phishing email is a workforce waiting to be compromised.

164.308(a)(6) — Security Incident Procedures

F-06
Security Incident Procedures
45 CFR 164.308(a)(6)(ii)(A)
Non-Compliant High Risk

No written incident response plan existed. No formal procedures for identifying, responding to, mitigating, or documenting security incidents. Incident responsibility had not been assigned. In the event of an incident, the response would have been entirely ad hoc.

The critical issue here: a patient complaint alleging inappropriate access to records had been received and logged informally in a paper notebook. It was never evaluated under the Breach Notification Rule (45 CFR 164.402). No four-factor breach risk assessment was conducted to determine whether notification to the affected individual, HHS, and potentially media was required.

An unresolved potential breach is not a compliance gap — it is an active legal exposure. This item was flagged as requiring immediate action independent of the rest of the remediation roadmap.

164.308(a)(7) — Contingency Plan

F-07
Contingency Plan
45 CFR 164.308(a)(7)
Non-Compliant High Risk

Meridian assumed that athenahealth’s platform availability and backup capabilities satisfied its contingency planning obligations. This assumption is incorrect. Reliance on a vendor’s infrastructure does not substitute for a covered entity’s own documented contingency program under the Security Rule.

No data backup plan, disaster recovery plan, or emergency mode operation plan existed for the organization’s own operations. No tabletop exercise had ever been conducted. No recovery time objectives were defined.

Additionally, the practice’s only local backup was a single unencrypted USB drive stored at the front desk — an uncontrolled, publicly accessible location. That single asset created compounding risk across four control areas and was identified as an early remediation priority.

164.308(a)(8) — Evaluation

F-08
Periodic Evaluation
45 CFR 164.308(a)(8)
Non-Compliant Medium Risk

No defined review schedule existed. No individual had been assigned responsibility for conducting evaluations. No prior evaluation documentation had been retained. Leadership was unaware that periodic evaluation is a required implementation specification.

The Security Rule requires evaluation in response to environmental or operational changes that affect the security of ePHI — not just on a calendar schedule. Meridian had undergone the transition to athenahealth, significant workforce turnover, and the patient complaint incident without triggering a single evaluation.

The NAXS Labs assessment was the first formal security evaluation the organization had undergone.


Summary of Administrative Safeguard Findings

Finding Standard Status Risk
F-01Risk Analysis — 164.308(a)(1)Non-CompliantHigh
F-02Assigned Security Officer — 164.308(a)(2)Non-CompliantHigh
F-03Workforce Security — 164.308(a)(3)Non-CompliantHigh
F-04Information Access Management — 164.308(a)(4)Non-CompliantHigh
F-05Security Awareness and Training — 164.308(a)(5)PartialMedium
F-06Security Incident Procedures — 164.308(a)(6)Non-CompliantHigh
F-07Contingency Plan — 164.308(a)(7)Non-CompliantHigh
F-08Periodic Evaluation — 164.308(a)(8)Non-CompliantMedium
The pattern across these findings

Meridian’s administrative safeguard failures follow a predictable pattern: controls exist informally but have never been formalized, documented, assigned to an owner, or tested. The practice had HIPAA awareness. What it lacked was a structured program. The absence of a risk analysis sits at the root of most other findings — without it, the organization had no documented basis for any security decision it made.

For small practices: the administrative safeguards are achievable without a large security team. A designated Security Officer, a documented risk analysis, written access procedures, and an annual training program cover the majority of what 164.308 requires. The bar is documentation and accountability, not technology.

Next in this series: Physical Safeguards (45 CFR 164.310) — facility access controls, workstation use and security, and device and media controls. Four findings, all at high or medium risk.

Darnell Keith

Not sure where you stand on this?

A Gap Assessment or IAM Governance Assessment tells you exactly where the gaps are — and what to do about them, in order of what matters most.

Get in Touch
NAXS Labs
Logo