Administrative safeguards must be adopted by business associates to protect PHI, and include:
- Security Management Process – Implement a plan and continually evaluate
- Security Officer – Designate someone to implement/oversee security policies
- Workforce Security – Plan for granting varying levels of access to PHI
- Contingency Plan – Plan for responding to emergencies and natural disasters
- Business Associate Agreements – Contracts between covered entities and business associates that protect PHI
- Security Incident Procedures – Security incident response/reporting system
- Termination Procedures – Prevent terminated employees from having access
Actionable Takeaways:
- Access PHI only when necessary to perform job duties
- Verify receipt of PHI once properly transmitted
- Abide by all security policies and procedures
- Appropriately report all security incidents
- Destroy any physical (paper) PHI once it is no longer needed
- Before disclosing PHI, ensure the recipient is authorized and there is a BAA