Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
NIST SP 800-66 Rev. 1
(45 C.F.R., Sec. 164.304)