The HIPAA Security Final Rule comprises Standards (what must be done) and Implementations Specifications(how it must be done) for creating policies, procedures and practices to prevent, detect, contain and correct security violations.
Implementation specifications are indicated as required or addressable. As organizations work towards HIPAA-HITECH compliance, it is important to understand the difference.
A covered entity or business associate must comply with a required implementation specification must. For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.
For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:
- Implement the addressable implementation specification as stated;
- Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
- Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.
Covered entities and business associates are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.
Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.
An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.
- Don’t waste time debating about ‘addressable’ versus ‘required’.
- Just do it! – the vast majority of the standards specifications make good business sense.
- HIPAA Security Standards set a “floor” or “baseline” for security
- Don’t make the mistake of thinking ‘addressable’ means ‘optional’; it does not!
- Check out our HIPAA-HITECH compliance software to jump-start your program
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.