ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Under the HIPAA Security Rule, the security standards are grouped into three safeguard categories: administrative (§164.308), physical (§164.310), and technical (§164.312). Conducting a risk analysis (§164.308(a)(1)(ii)(A)) and designating a security official (§164.308(a)(2)) are both listed within the Administrative Safeguards section. Physical safeguards address facility and device protections, while technical safeguards focus on electronic measures such as access control and encryption. Separate from these safeguards, §164.314 establishes organizational requirements (for example, business associate contracts). Because both cited requirements appear in §164.308, they are Administrative Safeguards.