HIPAA has three main sections of requirements. These are separated by Administrative Requirements, Physical Requirements, and Technical Requirements.

Admin requirements are simply the steps that the administration of a business or company must take to ensure the safety of their client's PHI and ePHI. These policies govern the conduct of the workforce, putting in place safeguards and practices to ensure a client's sensitive information is secure. When putting in place a HIPAA compliance program, there are nine basic standards which make up the Administrative section. These nine standards are;

  1. Assigned Security Responsibility

  2. Security Management Process

  3. Workforce Security

  4. Information Access Management

  5. Security Awareness and Training

  6. Security Incident Procedures

  7. Contingency Plan

  8. Evaluation

  9. Business Associate Contracts and Other Arrangements

These nine sections make up the basics of the HIPAA Administrative Requirements. These sections can be further broken down and elaborated on, resulting in eighteen specific actions which must be taken.

Assigned Security Responsibility

  • Officers (required): Assign HIPAA security and privacy officers within your business.

Security Management Process

  • Risk Analysis (required): Determine where PHI could be vulnerable on systems where it is being used and stored via risk analysis.

  • Risk Management (required): Implement measures to reduce the risks found via above analysis to an acceptable level.

  • Sanction Policy (required): Introduce sanction policy's for employees who refuse or fail to comply.

  • Information Systems Activity Reviews (required): Regularly review system logs, audit trails, and activity.

Workforce Security

  • Employee Oversight (addressable): Put in place procedures to govern those employees who work with PHI, as well as rights and process to take away the privilege of accessing PHI. Further attempt to access PHI after privilege has been revoked should end with the termination of the individual.

Information Access Management

  • Multiple Organizations (required): PHI is not to be accessed by parent or partner organizations without documented authorization to do so.

  • ePHI Access (addressable): Put in place procedures and documentation policy for the access of ePHI or services and systems which also have access to ePHI.

Security Awareness and Training

  • Security Reminders (addressable): Updates and reminders about security policies and practices should be periodically sent to employees.

  • Protection Against Malware (addressable): Procedures and programs against malware should be put into place on the systems which log or store PHI.

  • Login Monitoring (addressable): Implement a system of login monitoring and reporting any suspicious conduct.

  • Password Management (addressable): Ensure there are procedures in place for creating and changing passwords in the system.

Security Incident Procedures

  • Response and Reporting (required): Identify, document, and respond to all security incidents and breaches.

Contingency Plan

  • Contingency Plans (required): Ensure there are accessible backups of all ePHI and that there are procedures in place for restoring any lost data.

  • Updates and Analysis (addressable): Have procedures for the periodic testing of the emergency contingency plan.

  • Emergency Mode (required): Create (and use as needed) procedures which make it possible to continue critical business functions during an emergency.


  • Perform periodic evaluations of HIPAA compliance procedures to ensure there are no updates or revisions to the laws and your business is up to date.

Business Associate Contracts and Other Arrangements

  • Have contracts in place with your business partners or other companies which may have access to your PHI saying that they too will be compliant with HIPAA or face possible charges.

Proper compliance doesn't have to be difficult. By breaking down the sections and following their requirements you can be sure your company is properly compliant. Of course all individual situations are different, therefore if you are unsure it is always better to get advice from a professional. For more about HIPAA and the other two compliance sections, feel free to contact us at our website.

Subscribe to our mailing list

* indicates required