Your Security Foundation
§164.308(a) is the administrative foundation that holds the rest of your security program up. The earlier chapters walked you through concrete pieces. This chapter names the meta-structure: the risk-based thinking, the person accountable, and the procedures that tie workforce accountability to security policy.
Why this chapter exists, in plain English
§164.308(a) — the administrative foundation that holds the rest of your security program up. The earlier chapters walked you through concrete pieces: your BAAs, your devices, your passwords, your workspace, your incident response, your training, your paperwork, your systems. This chapter names the meta-structure: the risk-based thinking behind those pieces, the person accountable for running it, and the procedures that tie workforce accountability to security policy.
Seven topics, all mapping to required standards under §164.308. The biggest single gap in a new practice’s HIPAA program usually lives here — specifically in §164.308(a)(1), the Security Management Process, which asks you to write down a Risk Analysis, a Risk Management response, a Sanction Policy, and an Information System Activity Review procedure. Each is a document you can create in an afternoon.
The Sanction Policy topic includes an adopt-and-edit template with NIST-derived sample language. The Security Official topic asks you to write down a name (for a solo practice, your own; in a small office, whoever holds the role). Everything else is a short writing task anchored in what you’ve already built.
The seven foundations
7 questionsRisk analysis:
naming what could go wrong with the ePHI you actually hold
HHS wants you to have “conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” your practice handles. Plainly: you’ve thought carefully about what could go wrong, where ePHI lives, and what could happen to it.
For a solo or small practice, a workable risk analysis names three things: (1) the ePHI you handle and where it lives (your EHR, your clinical email, your backups, your devices — most already cataloged in Chapters 1, 2, and 6), (2) the realistic threats (lost device, account compromise, vendor outage, ransomware, accidental disclosure), and (3) your best honest assessment of how likely each is and how bad the impact would be. NIST SP 800-66 Rev. 2 is the reference HHS expects you to work from.
Risk management:
the dated decisions you made about each risk and why
For each risk your analysis surfaced, you either (1) apply a safeguard that reduces it to a reasonable and appropriate level, or (2) document that you’ve accepted the residual risk with a clear reason. Doing nothing silently is not an option OCR accepts.
Almost everything in Chapters 1 through 7 and Chapter 9 is a risk-management response — BAAs close vendor-trust risk, full-disk encryption closes lost-device risk, backups close ransomware risk, audit-log review closes undetected-access risk. Connect the safeguards you’ve already picked back to the risks they address.
Sanction policy:
what happens when someone on the workforce breaks the rules
The rule requires “appropriate sanctions against workforce members who fail to comply with the security policies and procedures.” For a solo or small practice, “workforce” starts with you — and extends to any intern, virtual assistant, biller, or contractor you bring on. The document has to exist whether or not you ever need to apply it.
A three-tier ladder (accidental / serious-or-repeated / willful-or-malicious) with clear consequences at each level is the standard shape. The adopt-and-edit template below is NIST-derived language that many solo or small practices use as-is.
Information system activity review:
how you spot trouble in the audit logs your systems already keep
Audit logs that exist but nobody reads are one of the patterns OCR most consistently flags in settlements. Monthly is the most common small-practice cadence; quarterly is defensible with a written rationale.
You already know where the audit logs are — Chapter 9 walked through pulling them. This topic adds the review procedure: open the log on cadence, scan for unfamiliar access or failed-login bursts, document that you did so. The cadence belongs on your Chapter 7 review calendar.
Security Official:
the named person responsible for the practice's security program
Required, not addressable. You have to name someone. For a solo practice that’s you; for a small office, the owner or practice manager — which is fine, as long as it’s written down.
The Security Official’s job is development and implementation of the required policies. In practice, for solo: the person who runs the Chapter 7 review, signs the Practice Security Manual, and responds to incidents. Name them — with an optional alternate and contact line — over in Your Practice; that designation auto-fills your Security Official policy template wherever it appears.
Incident escalation for the official isn’t captured here — that’s §164.308(a)(6), handled in If Something Goes Wrong (Chapter 6).
Workforce security and access management:
who's authorized for what, and how access ends when people leave
(a)(3) Workforce Security asks for procedures granting appropriate access to workforce members, ensuring they’re suitable before access is granted, and removing access when they leave.
(a)(4) Information Access Management asks for policies granting the minimum necessary access each workforce member needs.
For a solo or small practice, the procedures can be a one-page checklist: vet the person, grant only the access they need, note it, and revoke everything when they leave. The procedures still need to be written, because the moment you bring on even one intern, you need a repeatable way.
Periodic evaluation:
the dated review that confirms your safeguards still match the practice
Required, not addressable. Re-run the audit when things change materially (new vendor, new staff, new technology, incident response, regulation update), and at least annually.
Chapter 7 handles the cadence; this topic confirms the scope. Running HIPAAPath end-to-end on your annual review date satisfies the technical + nontechnical evaluation requirement for most solo or small practices.
Where you stand
Not quite there yet
Answer all seven §164.308 administrative foundations to see your chapter resolution.