HIPAA Required vs Addressable
In today’s article, we will be discussing the differences between required and addressable HIPAA compliance implementation specifications. Contrary to what most people assume, “addressable” does not mean “optional”. Each of the HIPAA Security Rule’s implementation specifications describes how standards should be executed, but they are categorized as either “required” or “addressable”.
The HIPAA Security Rule sets forth the standards for the protection of healthcare data through a series of regulations aimed at ensuring the integrity, security, and confidentiality of protected health information stored or transmitted in electronic form (ePHI). As an extension to the implementations outlined in the HIPAA Privacy Rule, the Security Rule was devised to be flexible to accommodate various sizes and structures of any Covered Entity (CE), as well as, emerging technologies and progressive cybersecurity threats.
With the rapid adoption of emerging technologies in the healthcare industry, it is vital for Covered Entities, and Business Associates (BAs) as well, to know the main differences between required and addressable HIPAA requirements.
“Required” HIPAA specifications
The word “required” itself is pretty much self-explanatory. Required specifications must be implemented, or organizations will simply fail to comply with the HIPAA Security Rule. The mandatory implementation requirements account for 48% of the HIPAA Security Rule, while “addressable” constitutes 52% of the rule’s specifications. Not many people understand what this entails.
“Addressable” HIPAA Specifications
Unlike the required specifications, rules that are itemized as “addressable” are slightly different and offer more flexibility. These are not, however, optional. CEs and BAs must fully understand this. While often being technical, addressable specifications allow organizations the flexibility to implement various security measures to accomplish the objectives of the requirements.
As an example, if you were given addressable specifications to surprise and present someone with a birthday cake, you can either make it yourself or buy one from a store. It doesn’t matter as long as the person receives the gift.
What are the available options for HIPAA Addressable Specifications?
According to the HHS, entities have three options at their disposal:
- Implement the “addressable” specifications.
- Use different methods to accomplish the same purpose.
- Not implement them.
Each organization must assess whether an “addressable specification” is appropriate and reasonable for their practice.
What happens if I don’t implement an “addressable specification”?
Many small to medium-sized organizations simply ignore the addressable specifications. However, the decision to not implement an addressable requirement cannot be made casually.
For each addressable specification not implemented, organizations must describe and fully document why they chose to either not implement them, use a different method, or implement a partial solution.
In case your organization faces a HIPAA audit, the Office for Civil Rights (OCR) will review all the documentation and will determine whether your decision is appropriate or not. Without concrete documentation, OCR may assume you have disregarded or willfully neglected the specifications, and you will be fined.
The decision to not implement the “addressable” items may be appropriate under certain circumstances. For example, the specification might actually decrease the security of PHI (protected health information), security measures already implemented may render the “addressable” requirement moot, or it just simply does not apply to your situation.
On an important note, organizations will never be fined for going over the top with security measures. However, accidentally or purposely forgetting about one that applies to your practice can result in severe consequences. Therefore, it is always best to implement them if you are not sure.
What are the “addressable” components?
The implementation safeguards under the HIPAA Security Rule are broken down into three parts: Administrative, Technical, and Physical.
Here is a list of “addressable” items-
