A single missing risk assessment cost Premera Blue Cross $6.85 million in 2020. Not a breach of millions of records — though that happened too. The OCR settlement hinged on the fact that Premera had failed to implement adequate administrative safeguards. The kind that seem bureaucratic until they're the reason a seven-figure check leaves your account.
If you've ever searched how many administrative areas apply to HIPAA regulations, you're asking the right question. The answer isn't a single number pulled from thin air — it's a structured framework that the U.S. Department of Health and Human Services mapped out in the HIPAA Security Rule. Let me walk you through exactly what those areas are, why each one matters, and where covered entities consistently get tripped up.
The Direct Answer: Nine Administrative Safeguard Standards
The HIPAA Security Rule organizes its requirements into three categories: administrative safeguards, physical safeguards, and technical safeguards. The administrative safeguards — found in 45 CFR § 164.308 — contain nine distinct standards. Each standard addresses a specific operational area your organization must get right to protect electronic protected health information (ePHI).
These nine standards aren't suggestions. They're regulatory requirements that OCR investigators check during audits and breach investigations. Here's every one of them.
Breaking Down All Nine Administrative Safeguard Standards
1. Security Management Process
This is the foundation. Your organization must implement policies and procedures to prevent, detect, contain, and correct security violations. The required implementation specifications here include a risk analysis, risk management plan, a sanction policy for workforce members who violate your policies, and regular information system activity reviews.
I've seen organizations treat risk analysis as a one-time checkbox. OCR has made clear — repeatedly, through enforcement actions — that risk analysis is ongoing. The $5.1 million settlement with Advocate Medical Group in 2016 drove that point home.
2. Assigned Security Responsibility
You must designate a specific individual as your HIPAA Security Officer. Not a committee. Not a department. A person, with a name and accountability. Smaller practices sometimes assign this to their office manager. Larger health systems build entire teams. Either way, someone has to own it.
3. Workforce Security
This standard requires you to ensure that every member of your workforce has appropriate access to ePHI — and that those who shouldn't have access don't. Implementation specifications include authorization and supervision procedures, workforce clearance procedures, and termination procedures when someone leaves your organization.
The word "workforce" in HIPAA is broader than you might expect. It includes employees, volunteers, trainees, and anyone under your organization's direct control, whether or not they're paid.
4. Information Access Management
Closely related to workforce security, this standard focuses on authorizing access to ePHI. If your organization is a health care clearinghouse that's part of a larger entity, you need policies that isolate clearinghouse functions. You also need access authorization and access establishment and modification procedures.
5. Security Awareness and Workforce Training
Every workforce member must receive training on your security policies and procedures. This isn't optional, and it isn't a one-time event. The Security Rule requires training for new workforce members and periodic refreshers. Implementation specifications also call for security reminders, protection from malicious software, log-in monitoring, and password management guidance.
If your team handles PHI in Texas, you're also dealing with state-specific training obligations under HB 300. Our Texas Medical Records Privacy Act (HB 300) training course covers those layered requirements so your staff meets both federal and state standards.
6. Security Incident Procedures
Your organization must have a formal process for identifying, responding to, and reporting security incidents. An incident is any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information — or interference with system operations.
In my experience, most small practices don't have a written incident response plan until after their first breach. That's backwards, and it's exactly what OCR looks for.
7. Contingency Plan
What happens when your systems go down? The Security Rule requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan. You also need to test and revise those plans and conduct an applications and data criticality analysis.
Ransomware has made contingency planning more urgent than ever. If you can't restore ePHI from backups, you're not just facing operational paralysis — you're facing a potential breach notification obligation under the HHS Breach Notification Rule.
8. Evaluation
You must perform periodic technical and nontechnical evaluations of your security program. This means reassessing whenever environmental or operational changes affect the security of ePHI — new software, new locations, organizational mergers, or changes to applicable regulations.
9. Business Associate Contracts and Other Arrangements
If you share ePHI with business associates — cloud hosting providers, billing companies, IT vendors — you need written contracts that require those partners to safeguard that data. The 2013 HIPAA Omnibus Rule made business associates directly liable under the Security Rule, but the covered entity still needs the contracts in place.
OCR has pursued enforcement against covered entities specifically for inadequate business associate agreements. The North Memorial Health Care settlement in 2016 — $1.55 million — centered partly on a missing BAA with a major contractor.
Why "Administrative" Carries the Most Weight
Of the three safeguard categories in the Security Rule, administrative safeguards make up more than half of the total requirements. That's not an accident. HHS structured the regulation this way because technology and locks can only do so much. Without the right policies, training, and human decision-making, technical controls collapse.
When OCR investigates a breach, the first thing they request is documentation: your risk analysis, your training records, your incident response logs, your BAAs. All of that falls under administrative safeguards. If you can't produce the paperwork, you're already in trouble — regardless of whether your encryption was airtight.
The $1.9 Million Lesson Most Dental Offices Haven't Learned Yet
In 2019, a dental management company called Dental Associates agreed to a corrective action plan after OCR found multiple administrative failures. While not every small practice faces seven-figure penalties, the pattern is consistent: organizations that skip risk assessments, neglect workforce training, or operate without written policies bear the brunt of OCR's enforcement.
This applies to every covered entity and business associate, from a solo-practice therapist to a 10,000-bed hospital system. The nine administrative standards scale to your size and complexity — but none of them are optional.
How to Audit Your Administrative Safeguards in 2026
Here's a practical approach I recommend to every organization I advise:
- Map each of the nine standards to a named responsible person and a written policy in your compliance documentation.
- Run a current risk analysis. If your last one is more than 12 months old, or if you've made significant IT changes since then, it's stale. The HHS Guidance on Risk Analysis is your baseline.
- Verify training records. Can you prove that every workforce member — including recent hires, temps, and volunteers — received HIPAA security training? Our full HIPAA training catalog covers both foundational and role-specific courses that generate completion documentation.
- Pull your BAA inventory. List every vendor with access to ePHI. Confirm each one has a signed, current business associate agreement.
- Test your contingency plan. Actually restore from a backup. Run a tabletop exercise for a ransomware scenario. Document it.
This process shouldn't take months. But it does require deliberate attention — and that's exactly what administrative safeguards demand.
The Difference Between "Addressable" and "Required"
One nuance that trips people up: within these nine administrative standards, some implementation specifications are labeled "required" and others are labeled "addressable." Addressable does not mean optional. It means you must assess whether the specification is reasonable and appropriate for your environment. If it is, you implement it. If it isn't, you document why and implement an equivalent alternative measure.
OCR has made this distinction painfully clear in guidance documents and enforcement actions. "We determined it wasn't addressable" is not a defense they accept. You can review the full regulatory text at 45 CFR Part 164 Subpart C on law.cornell.edu.
What This Means for Your Organization Right Now
If you came here asking how many administrative areas apply to HIPAA regulations, the concrete answer is nine standards under the Security Rule's administrative safeguard category. But knowing the number isn't enough. You need to operationalize each standard with policies, assigned personnel, documented evidence, and regular review cycles.
The organizations that do this well don't just avoid penalties. They build a security culture that protects patients, reduces breach risk, and makes every future audit dramatically less stressful. The ones that don't? They end up in the OCR settlements database, wishing they'd started sooner.