HIPAA administrative safeguards: the complete checklist for small practices

Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.

By CoreFolio

Published May 20, 2026Verified May 20, 20268-minute read

The eight standards in 45 CFR § 164.308 — the administrative safeguards section of the HIPAA Security Rule — appear in nearly every enforcement action the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has brought against a covered entity. Not because the requirements are obscure, but because they require documentation that many small practices have never produced.

Administrative safeguards are the organizational and procedural layer of HIPAA security. They govern how you manage your workforce’s access to electronic protected health information (ePHI), how you respond to incidents, how you train staff, and how you plan for emergencies. They are also the foundation on which the physical and technical safeguard layers sit.

How to read the requirements: required vs. addressable

Each implementation specification in 45 CFR § 164.308 is designated as either “required” or “addressable.”

Required means the covered entity must implement the specification. No exceptions, no documentation of alternatives.

Addressable does not mean optional. It means the covered entity must:

Assess whether the specification is reasonable and appropriate for its specific environment and risk profile.
If reasonable and appropriate: implement it.
If an equivalent alternative would achieve the same protection: implement the alternative and document why.
If neither is reasonable and appropriate: document the specific reasons.

The 2026 NPRM (90 Fed. Reg. 898, published January 6, 2025) proposes eliminating this distinction and making most specifications required. The NPRM has not been finalized as of May 2026. The current rule remains in effect.

The eight administrative safeguard standards

1. Security management process — § 164.308(a)(1)

This standard has four implementation specifications:

Risk analysis (Required): An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity. The risk analysis must cover all ePHI — not only EHR data, but also data in email, cloud storage, portable devices, and any other system that creates, receives, maintains, or transmits ePHI. It must be documented and updated when operations or the threat environment changes materially.

Risk management (Required): A documented plan for implementing security measures sufficient to reduce identified risks to a reasonable and appropriate level. The plan must include specific actions, responsible parties, and timelines. Having a risk analysis without a risk management plan is itself a violation — OCR requires both, and the risk management plan is a mandated step in every corrective action plan OCR issues for risk analysis failures.

Sanction policy (Required): Written policies specifying consequences for workforce members who fail to comply with security policies and procedures. The policy must be applied consistently.

Information system activity review (Required): Regular review of audit logs, access reports, and security incident tracking records. The frequency must be documented. Most EHR systems produce audit logs automatically; the requirement is to review them on a scheduled basis and document that review.

2. Assigned security responsibility — § 164.308(a)(2)

Security Official (Required): The covered entity must identify and document a specific individual responsible for developing and implementing security policies and procedures. For a solo practice or a small clinic, this is frequently the physician, practice owner, or office manager.

The designation must be in writing. A job description or a formal written assignment document satisfies this requirement. An informal understanding does not.

3. Workforce security — § 164.308(a)(3)

Authorization and/or supervision (Addressable): Procedures for supervising workforce members who work with ePHI, or for authorizing and verifying the access of workforce members who do not need direct supervision.

Workforce clearance procedure (Addressable): Procedures for determining that a workforce member’s access to ePHI is appropriate before granting access — typically background check and role-based access review.

Termination procedures (Required): Procedures for revoking ePHI access when a workforce member’s employment or contractual arrangement ends.

Note: OCR frequently cites failure to revoke EHR access promptly after termination as a § 164.308(a)(3) finding. This is one of the most common and most preventable failures in small practices.

4. Information access management — § 164.308(a)(4)

Isolating healthcare clearinghouse functions (Required): Applies only to covered entities that are healthcare clearinghouses or that operate a clearinghouse function. Most small practices are not affected by this specification.

Access authorization (Addressable): Written policies and procedures for granting access to ePHI — defining who may access what, under what circumstances, and at what level of permission.

Access establishment and modification (Addressable): Procedures for establishing, documenting, reviewing, and modifying user access rights to ePHI, based on the workforce member’s role. Includes off-boarding processes when role changes occur.

5. Security awareness and training — § 164.308(a)(5)

Security awareness and training program (Addressable): A program for all workforce members, including management. The training must cover the content of security policies and how to handle ePHI. Training records must be maintained — OCR asks for documentation of when each employee was trained, what they were trained on, and that completion was verified.

Protection from malicious software (Addressable): Procedures for guarding against, detecting, and reporting malicious software.

Log-in monitoring (Addressable): Procedures for monitoring log-in attempts and reporting discrepancies, including failed access attempts.

Password management (Addressable): Procedures for creating, changing, and safeguarding passwords. The 2026 NPRM proposes more specific requirements, including longer minimum lengths and phishing-resistant authentication methods.

6. Security incident procedures — § 164.308(a)(6)

Response and reporting (Required): Written policies and procedures for identifying, responding to, mitigating, and documenting security incidents. “Security incident” is defined broadly in 45 CFR § 164.304: any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.

Small practices must maintain a log of security incidents, even minor ones, and document their response. Incidents that rise to the level of a breach trigger the Breach Notification Rule (45 CFR § 164.400–414).

7. Contingency plan — § 164.308(a)(7)

Data backup plan (Required): Written procedures for creating and maintaining retrievable exact copies of ePHI.

Disaster recovery plan (Required): Written procedures for restoring any loss of data. Must be specific to the covered entity’s systems and data locations.

Emergency mode operation plan (Required): Procedures for continuing critical business processes for protecting ePHI during and immediately after an emergency.

Testing and revision (Addressable): Procedures for periodically testing and revising contingency plans.

Applications and data criticality analysis (Addressable): An assessment of the relative criticality of specific applications and data in support of contingency plan components.

8. Evaluation — § 164.308(a)(8)

Periodic evaluation (Required): A periodic technical and non-technical evaluation — in response to environmental or operational changes and at regular intervals — to establish the extent to which the covered entity’s security policies and procedures meet the requirements of the Security Rule.

The evaluation is distinct from the risk analysis. It assesses compliance with implemented policies, not the landscape of risks. Frequency is not specified; annual evaluation is considered reasonable practice.

Business associate contracts — § 164.308(b)

Written contracts or other arrangements (Required): A covered entity must obtain satisfactory assurances from each business associate that the business associate will appropriately safeguard the ePHI it receives from or creates on behalf of the covered entity. These assurances must be in writing — a business associate agreement (BAA) — before any ePHI is shared.

Common business associates that small practices overlook: IT support vendors with remote access to practice systems, cloud backup and storage services, answering services that handle patient messages, billing companies, and legal or accounting firms that access records.

What OCR looks for in an investigation

OCR’s Risk Analysis Initiative (launched October 2024) has produced 16 enforcement actions as of May 2026, with combined settlements exceeding $2.5 million. Every action cites § 164.308(a)(1) — the risk analysis and risk management plan. Supporting findings in those same actions regularly include workforce training gaps (§ 164.308(a)(5)), missing BAAs (§ 164.308(b)), and absent termination procedures (§ 164.308(a)(3)).

The pattern is consistent: OCR does not expect perfection. It expects documentation. A covered entity that has conducted, documented, and acted on a risk analysis; has a written risk management plan; has trained its workforce with records to show it; and has executed BAAs with its business associates is in a substantially better position than one that has done all of these things informally and can prove none of them.

The minimum documentation floor

If you are starting from zero, these are the documents a small practice needs to produce to meet the administrative safeguard baseline:

A written risk analysis covering all ePHI systems
A written risk management plan with action items and timelines
A written sanction policy
A documented Security Official designation
A written information system activity review schedule and records
Signed BAAs with all vendors accessing ePHI
Workforce training records (who, what, when, completion documented)
A written security incident response policy and incident log
A written data backup and disaster recovery plan

None of these require outside counsel or enterprise software. All of them require time, structure, and a commitment to maintaining the records.

Sources: 45 CFR § 164.308 (administrative safeguards); 45 CFR § 164.304 (definitions); HHS Summary of the HIPAA Security Rule, hhs.gov/hipaa/for-professionals/security/laws-regulations; HHS HIPAA Security Rule Guidance, available at hhs.gov; OCR Risk Analysis Initiative enforcement actions, hhs.gov/press-room; 90 Fed. Reg. 898 (HIPAA Security Rule NPRM, January 6, 2025). Last verified May 20, 2026.

FAQ

Common questions

What are administrative safeguards under HIPAA?

Administrative safeguards are the policies, procedures, and oversight mechanisms that govern how a covered entity manages the security of electronic protected health information. They are defined in 45 CFR § 164.308 and encompass eight standards including the risk analysis, security officer designation, workforce training, and contingency planning.

What does 'addressable' mean in HIPAA administrative safeguards?

An addressable implementation specification is not optional. A covered entity must assess whether the specification is reasonable and appropriate for its environment. If it is, the entity must implement it. If an equivalent alternative can achieve the same protection, the entity may implement the alternative and document why. If neither is reasonable and appropriate, the entity must document the rationale. The 2026 NPRM proposes eliminating this distinction, making most specifications required.

Which administrative safeguard is most often cited in OCR enforcement actions?

The risk analysis requirement under 45 CFR § 164.308(a)(1)(ii)(A) is the single most commonly cited finding in OCR resolution agreements. OCR's 2016–2017 audit found that only 14 percent of covered entities were substantially meeting their risk analysis obligations.

Does a solo practice need a designated Security Official?

Yes. 45 CFR § 164.308(a)(2) requires every covered entity to identify a Security Official responsible for security policies and procedures. For a solo practice, this is typically the physician or owner. The designation must be documented.

Keep learning

The 2026 rule
HIPAA technical safeguards: current requirements and what the 2026 NPRM changes
The HIPAA Security Rule's technical safeguards govern access, encryption, audit logging, and authentication. The 2026 NPRM proposes significant changes. Here is what is required now and what would change under the proposed rule.
May 20, 20267-minute read
How-to
HIPAA physical safeguards for small practices: what the rule actually requires
Physical safeguards under 45 CFR § 164.310 govern how your practice controls physical access to ePHI — from workstations and server closets to portable devices and decommissioned hard drives. Here is every standard and what it means in a small-practice setting.
May 20, 20267-minute read
How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read