The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What are the administrative requirements that covered entities need to have in place under HIPAA to protect the privacy of PHI?

There are certain administrative requirements that covered entities must enact in order to comply with the HIPAA Privacy Rule.  A covered entity must implement written policies and procedures to comply with these administrative requirements that take into account its size and activities related to PHI. 
Specific administrative requirements of a covered entity include:

  • Designation of a privacy official to handle complaints and to provide further information about privacy-related matters;
  • Training of workforce members on policies and procedures related to PHI
  • Implementation of appropriate administrative, technical, and physical safeguards for PHI
  • Development and implementation of procedures for individuals to submit complaints regarding compliance issues with the HIPAA Privacy Rule; and
  • Development and application of sanctions for failure to comply with privacy policies and procedures.
  • Ability to mitigate the effects of any disclosure or use;
  • Written documentation of privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires, until six years after the later of the date of their creation or last effective date.

Privacy Rule requires, until six years after the later of the date of their creation or last effective date.

A covered entity is prohibited from retaliating against any individual for exercising his or her rights under the Privacy Rule, and a covered entity cannot require an individual to waive his or her rights under the Privacy Rule as a condition of providing services.

Resources:
Summary of the HIPAA Privacy Rule: Administrative Requirements - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003).  This site provides a summary of the HIPAA Privacy Rule.

Privacy Documents Relating to Administrative Requirements go to exit disclaimer - Developed by the HIPAA Collaborative of Wisconsin (HIPAACOW) (2009).  This site contains numerous documents related to various administrative requirements.

HIPAA Administrative Simplification - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2006).  This document contains the regulation text.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed