Administrative Safeguards

HIPAA Rule: §164.308

Administrative safeguards are the policies and procedures that manage the selection, development, implementation, and maintenance of security measures to protect PHI.

Security Management Process (§164.308(a)(1))

Requirement	Status	Notes
Risk analysis	❌ Pending	Required before attestation
Risk management	❌ Pending	Remediation roadmap is the start
Sanction policy	✅ Documented	See Workforce Training
Information system activity review	❌ Pending	Requires CloudTrail + GuardDuty

Assigned Security Responsibility (§164.308(a)(2))

Item	Value
Security Officer	DevOps Team Lead (TBD — name required)
Responsibilities	Risk analysis, policy maintenance, incident response, training

Workforce Security (§164.308(a)(3))

Requirement	Status	Notes
Authorization / supervision	✅ In policy	Access Control Policy
Workforce clearance procedure	❌ Pending	Formal clearance checklist needed
Termination procedures	❌ Pending	Off-boarding checklist needed (IAM revocation)

Information Access Management (§164.308(a)(4))

Requirement	Status	Notes
Isolate healthcare clearinghouse	N/A	Not applicable
Access authorization	✅ In policy	IAM roles + least privilege
Access establishment and modification	✅ In policy	Access request process documented

Security Awareness and Training (§164.308(a)(5))

Requirement	Status	Notes
Security reminders	❌ Pending	Annual refresher program
Protection from malicious software	❌ Pending	GuardDuty + endpoint AV policy needed
Log-in monitoring	❌ Pending	CloudWatch alarms on failed logins
Password management	❌ Pending	Password policy in IAM not confirmed

Security Incident Procedures (§164.308(a)(6))

See Incident Response Plan.

Contingency Plan (§164.308(a)(7))

See Contingency Plan.

Evaluation (§164.308(a)(8))

Annual review of security posture required. Use Security Hub score and AWS Config conformance pack as the primary evaluation tools. Review schedule: each March.

Business Associate Contracts (§164.308(b))

See BAA Tracker.