Blog Home Page Next article:

HIPAA Understood: 164.308 Administrative

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


You may have guessed this based on the category title, but these controls focus on the organization’s policies and procedures, and the maintenance of said policies and procedures. If you are new to HIPAA, you should understand that unless something is documented in a policy or procedure, it does not exist; obviously, this isn’t true in practice, but for the purposes of HIPAA you should make this your golden rule. Security management is a major component of any regulatory standard and is covered by HIPAA in the following rule:

“164.308(a)(1)(i) Standard: Security management process.  Implement policies and procedures to prevent, detect, contain, and correct security violations.”

This rule may seem a bit confusing so let’s break down what you really need to accomplish here. The short and simple is that you need to have a security plan which is documented and maintained according to HIPAA regulations (we will get to these so don’t sweat it now). This document needs to contain areas which can address security incidents and how your organization will detect, prevent, and  remediate security incidents.

There are multiple methods you can use to accomplish this, you can create a document titled security plan which contains all your security-related policies, or you can create several smaller policies, one for each specific area of HIPAA that requires documentation. Both options are valid and if executed properly will achieve compliance. Each option has its pros and cons, I’m not going to get into these in this article, but I will say I recommend smaller policies as they allow for a more granular approach with maintenance and distribution.