Administrative actions, policies, and procedures to manage the selection,
development, implementation, and maintenance of security measures to protect
electronic health information and to manage the conduct of the covered entity's
workforce in relation to protecting that information.
SOURCE: SP 800-66