Skip to main content
Compliance Reference

45 CFR § 164.308

Administrative safeguards (HIPAA Security Rule)

Effective: Last amended: Last reviewed:

See your compliance status for this section

3-minute free audit. CFR-cited gap report. No signup.

Run free audit →

What does 45 CFR § 164.308 require?

45 CFR 164.308 is the administrative-safeguards section of the HIPAA Security Rule — the policies and people-side controls every covered entity and business associate must have to protect ePHI. Nine standards: security management process (including the annual risk analysis), assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning (backup + disaster recovery + emergency mode), evaluation, and business associate contracts. The single most-cited gap in OCR enforcement is the security risk analysis — OCR investigators ask for a current, written, organization-wide risk analysis on virtually every complaint and breach investigation, and the absence of one is the most common finding in resolution agreements. Required vs addressable: required specifications must be implemented as written; addressable specifications must either be implemented as written, implemented through an equivalent alternative measure, or affirmatively documented as not reasonable and appropriate for the entity — addressable is NOT a choice to skip the safeguard. Common deficiencies cited in OCR resolution agreements: no documented risk analysis, risk analysis is point-in-time rather than ongoing, no risk-management plan addressing identified risks, missing workforce sanction policy, no documented security awareness training, contingency plan never tested, BAAs missing from one or more vendor relationships.

Regulation text (summary)

45 CFR 164.308 sets the administrative-safeguards standards of the HIPAA Security Rule. Covered entities and business associates must (1) implement a security management process — including a documented risk analysis, risk management program, sanction policy for workforce members, and information system activity review; (2) designate an assigned security responsibility (Security Official); (3) implement workforce security policies — authorization/supervision, workforce clearance, termination procedures; (4) implement information access management — access authorization, establishment, and modification; (5) deliver a security awareness and training program — security reminders, protection from malicious software, log-in monitoring, password management; (6) implement security incident procedures — response and reporting; (7) implement a contingency plan — data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, applications and data criticality analysis; (8) perform periodic technical and nontechnical evaluation of compliance; and (9) execute written Business Associate Contracts before allowing a BA to create, receive, maintain, or transmit electronic protected health information (ePHI) on the covered entity's behalf. Each standard contains required and addressable implementation specifications. Addressable does NOT mean optional — entities must implement, document equivalent measures, or document why the specification is not reasonable and appropriate.

Read full regulation at eCFR.gov

Who must comply with 45 CFR § 164.308?

All HIPAA covered entities (health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a HIPAA transaction) and all business associates that create, receive, maintain, or transmit ePHI on behalf of a covered entity. Applies regardless of size — solo medical practices, large hospital systems, health insurers, billing companies, IT vendors with access to ePHI, cloud-hosting providers, and SaaS vendors all must implement §164.308 safeguards. The Security Rule scales to the entity per §164.306(b): the size, complexity, and capabilities of the covered entity; technical infrastructure; cost; and probability and criticality of risk all factor into what is reasonable and appropriate — but every standard must be addressed. Small practices are NOT exempt; OCR has explicitly stated there is no small-practice exception to the Security Rule.

What happens if you violate 45 CFR § 164.308?

Civil Monetary Penalties under 45 CFR §160.404 (2026 inflation-adjusted): Tier 1 (unknowing) $137-$68,928 per violation; Tier 2 (reasonable cause) $1,379-$68,928 per violation; Tier 3 (willful neglect, corrected) $13,785-$68,928 per violation; Tier 4 (willful neglect, not corrected) $68,928 per violation. Annual cap per identical-provision category: $2,067,813. Each day a violation continues can be counted as a separate violation. HHS Office for Civil Rights (OCR) is the enforcement agency. Triggers include the HIPAA Breach Notification Rule (any breach affecting 500+ individuals is publicly posted on the OCR Breach Portal — the so-called Wall of Shame), patient complaints filed directly with OCR, and compliance reviews initiated by OCR. Resolution agreements typically include corrective action plans with 1-3 year monitoring periods. Recent multimillion-dollar settlements have consistently cited missing or inadequate §164.308(a)(1)(ii)(A) risk analyses as a foundational finding. Criminal penalties for knowing disclosure (42 USC 1320d-6) are separate, prosecuted by DOJ, and can include imprisonment.

$137–$2,067,813

Penalty range

~33,541

Annual citations

+5.4%

YoY penalty trend

How to comply (implementation checklist)

  1. 1Conduct an organization-wide security risk analysis covering all ePHI assets (EHR, devices, backups, cloud, email, paper-to-digital workflows). Use NIST SP 800-30 or HHS SRA Tool methodology. Update at minimum annually and whenever significant changes occur.
  2. 2Document a written risk-management plan that addresses each identified risk with specific mitigations, owners, and target completion dates. Track residual risk acceptance decisions with sign-off.
  3. 3Maintain a written sanction policy that specifies consequences for workforce members who violate security policies. Train workforce on the policy. Document every sanction action.
  4. 4Implement information system activity review — regular review of audit logs, access reports, and security incident tracking reports. Document frequency, reviewer, and findings.
  5. 5Designate a Security Official in writing (§164.308(a)(2)). The Security Official can also be the Privacy Official, but the assignment must be documented.
  6. 6Implement workforce security procedures: authorization/supervision of workforce with ePHI access, workforce clearance (background checks where appropriate), and termination procedures (revoke access within defined hours, recover devices and credentials).
  7. 7Implement information access management: role-based access authorization, documented procedures for granting/modifying/revoking access, and unique user IDs for every workforce member with ePHI access.
  8. 8Deliver security awareness training at hire and at least annually. Include security reminders, malicious software protection, log-in monitoring, and password management. Maintain per-employee training records — date, content, signature/acknowledgment.
  9. 9Document security incident response procedures: how incidents are reported, triaged, contained, investigated, documented, and reported externally if required under the Breach Notification Rule. Maintain a security incident log.
  10. 10Implement and TEST a contingency plan: data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and applications and data criticality analysis. Document tabletop or live test results at least annually.
  11. 11Perform periodic technical and nontechnical evaluation of Security Rule compliance — at minimum annually or after environmental/operational changes. Document the evaluation and resulting remediation actions.
  12. 12Inventory every Business Associate relationship. Execute or refresh written BAAs that contain the required §164.314(a)(2) provisions before sharing ePHI. Track expiration and renewal.
  13. 13Maintain all policies, procedures, training records, risk analyses, evaluations, and BAAs for at least 6 years from the date of creation or last effective date, per §164.316(b)(2)(i).

Common misinterpretations

  • Misinterpretation: 'Addressable specifications are optional.' Reality: §164.306(d)(3) requires the entity to (a) implement the addressable specification if reasonable and appropriate, OR (b) implement an equivalent alternative measure that accomplishes the same purpose, OR (c) document why the specification is not reasonable and appropriate and that no equivalent measure is implemented. Addressable means a documented decision — never silent omission.
  • Misinterpretation: 'The risk analysis is a one-time project.' Reality: §164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. OCR guidance is unambiguous that risk analysis must be ongoing — updated whenever new systems, vendors, locations, or major operational changes occur, and at minimum reviewed annually. Point-in-time risk analyses from 3-5 years ago are routinely cited as deficient.
  • Misinterpretation: 'A security risk analysis is the same as a HIPAA compliance gap assessment.' Reality: A gap assessment compares policies to regulatory requirements; a risk analysis identifies specific threats and vulnerabilities to specific ePHI assets and assigns likelihood and impact. OCR has explicitly stated that a gap assessment does NOT satisfy §164.308(a)(1)(ii)(A) — and many entities have been penalized for confusing the two. NIST SP 800-30 is the most commonly referenced methodology.
  • Misinterpretation: 'Training only needs to happen once at hire.' Reality: §164.308(a)(5)(i) requires a security awareness and training PROGRAM — implementation specifications include ongoing security reminders (addressable), protection from malicious software (addressable), log-in monitoring (addressable), and password management (addressable). OCR-recommended practice and industry standard is annual refresher training plus role-based training when responsibilities change.
  • Misinterpretation: 'Small medical practices don't need formal Security Rule compliance.' Reality: There is no small-practice exception. The Security Rule is scalable per §164.306(b) — a 2-provider clinic implements simpler controls than a 500-bed hospital — but every standard at §164.308 must be addressed. OCR has imposed six- and seven-figure penalties on small practices for missing risk analyses.
  • Misinterpretation: 'Our IT vendor handles security — we don't need a BAA or our own risk analysis.' Reality: §164.308(b)(1) requires a written Business Associate Contract before allowing a BA to handle ePHI. The covered entity remains responsible for its own §164.308 compliance regardless of vendor controls. Vendor SOC 2 reports and BA-side risk analyses do NOT substitute for the covered entity's own organization-wide risk analysis.

Real enforcement examples

Anonymized from public FMCSA enforcement summaries. Penalty amounts reflect assessed and final settled values where disclosed.

OCR resolution agreement: regional health system paid $4.75M and entered a 3-year corrective action plan after a ransomware-driven breach affecting ~300,000 individuals. OCR investigation cited (1) failure to conduct an accurate and thorough enterprise-wide risk analysis per §164.308(a)(1)(ii)(A), (2) insufficient risk management per §164.308(a)(1)(ii)(B), and (3) inadequate audit controls. Risk analysis finding was foundational — OCR stated the entity could not have identified the vulnerabilities exploited because no current organization-wide risk analysis existed.

Source: HHS Office for Civil Rights resolution agreements (anonymized pattern; reflects multiple 2023-2024 settlements)

OCR settlement: solo dermatology practice paid $150,000 after a stolen unencrypted thumb drive exposed ~2,200 patient records. Investigation found no documented risk analysis, no risk management plan, and no documented security awareness training program. Demonstrates that practice size does not exempt covered entities from §164.308 administrative-safeguards standards.

Source: HHS Office for Civil Rights resolution agreements (anonymized pattern; reflects 2020-2023 small-practice settlements)

How FileFlo handles 45 CFR § 164.308

FileFlo's compliance rule-pack HHS-OCR-45CFR164.308 automatically checks every document you upload against this regulation. Auto-detects document type, parses key fields, sets renewal alerts, and surfaces this section in your audit binder if a gap is found.

Run free audit covering this section →

Already evaluating? Start a 5-day free trial →

Frequently asked questions

What is the difference between required and addressable implementation specifications under 45 CFR 164.308?

Required specifications must be implemented as written. Addressable specifications require the covered entity or business associate to (1) implement the specification if reasonable and appropriate for the entity, (2) implement an equivalent alternative measure that accomplishes the same security purpose, OR (3) document in writing why the specification is not reasonable and appropriate AND that no equivalent measure is implemented. Per §164.306(d), addressable is NOT optional — silent omission is a violation. OCR has cited many entities for treating addressable as 'we chose not to do it.'

How often must a HIPAA security risk analysis be performed?

45 CFR 164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of risks and vulnerabilities — and OCR guidance treats it as ongoing, not point-in-time. Industry standard and OCR recommendation: refresh the risk analysis at minimum annually and whenever significant changes occur (new EHR, new cloud vendor, new location, major workforce change, security incident, or major regulatory change). Risk analyses more than 12-18 months old without documented re-evaluation are routinely cited as deficient. The HHS SRA Tool (free, joint OCR/ONC product) is a common starting methodology; NIST SP 800-30 is the most commonly cited formal framework.

What constitutes a security incident under 45 CFR 164.308(a)(6)?

§164.304 defines security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. This is broader than a 'breach' — every probed firewall, every failed phishing email, every malware detection, every unauthorized access attempt is technically a security incident. §164.308(a)(6) requires procedures to identify and respond to suspected or known security incidents, mitigate harmful effects, and document outcomes. Best practice: a security incident log capturing date, type, source, scope, response, and resolution — including incidents that did NOT escalate to a breach. A breach is the subset of incidents requiring notification under the Breach Notification Rule (§§164.400-414).

What documentation is required to prove HIPAA security awareness training compliance?

§164.308(a)(5) and §164.316 require documentation. OCR investigators look for: (1) a written training program describing content, frequency, and audience; (2) per-employee training records showing date, content modules, and employee acknowledgment (signature, electronic acceptance, or LMS completion record); (3) evidence of ongoing security reminders (e.g., periodic emails, posters, intranet posts); (4) documentation of role-based training for employees with elevated ePHI access; (5) records retained for at least 6 years per §164.316(b)(2)(i). A blanket 'all staff trained' attestation without per-employee records will not pass an OCR audit.

Is there a small-practice exception to 45 CFR 164.308?

No. There is no small-practice or small-business exception to the HIPAA Security Rule. §164.306(b) requires that the size, complexity, and capabilities of the entity be considered when deciding what is reasonable and appropriate — so a solo practice implements simpler controls than a hospital — but every standard at §164.308 must be addressed. OCR has imposed six- and seven-figure penalties on practices with fewer than 10 workforce members for missing risk analyses and inadequate workforce training. The HHS SRA Tool is specifically designed to make compliance feasible for small practices.

What must a Business Associate Contract include to satisfy 45 CFR 164.308(b)?

The written BAA must contain the provisions required by §164.314(a)(2): (1) the business associate will comply with applicable Security Rule requirements; (2) ensure subcontractors agree to the same; (3) report security incidents and breaches to the covered entity; (4) authorize termination of the contract if the BA materially violates the contract. The BAA must be in place BEFORE the BA creates, receives, maintains, or transmits ePHI on the covered entity's behalf. Common gap: a covered entity assumes a vendor signed a BAA at onboarding but the contract has expired, the vendor changed entity name, or a downstream subcontractor was added without a flow-down BAA — all are §164.308(b) violations.

Related regulations

45 CFR 164.30645 CFR 164.31045 CFR 164.31245 CFR 164.31445 CFR 164.31645 CFR 164.53045 CFR 160.404

Author

Chad Griffith

Founder + CEO, FileFlo · Defense + Aviation + healthcare operations background

LinkedIn

Sources + reviewer

Primary source: eCFR.gov — 45 CFR § 164.308

Reviewed by Chad Griffith (Founder + CEO, FileFlo) on

Disclaimer: This page summarizes a federal regulation in plain English. FileFlo is not a law firm; this is not legal advice. The regulation text and primary sources at eCFR.gov are authoritative. Consult qualified counsel for advice specific to your operation.
Back to CFR Navigator