HIPAA FAQ: Required vs. Addressable

This series of blog posts features FAQs regarding the HIPAA Security Rule.

What is the difference between “required” and “addressable” implementation specifications?

If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the HIPAA rule.

Addressable implementation specifications require the covered entity to assess if it is a reasonable and appropriate safeguard in their organization. The covered entity must analyze the reasonable and anticipated threats and determine if the safeguard will protect the confidentiality, integrity, and availability of ePHI. If the organization does not implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement compensating controls. See C.F.R. § 164.306(d)(ii)(B)(2) for more information.

For each of the addressable implementation specifications, a covered entity must do one of the following:

• Implement the specification.
• If implementing the specification is not reasonable and appropriate -
• Document the rationale supporting the decision and
• Implement an equivalent measure that is reasonable and appropriate that would protect ePHI.
• Not implement the addressable implementation specification or an equivalent alternative measure if the standard could still be met and implementing the specification or an alternative would not be reasonable or appropriate.

The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

• The entity’s risk analysis — What current circumstances leave the entity open to unauthorized access and disclosure of ePHI?
• The entity’s security analysis — What security measures are already in place or could reasonably be put into place?
• The entity’s financial analysis — How much will implementation cost?

Key Takeaways

1. Implement all required implementation specifications.
2. Implement all reasonable and appropriate addressable implementation specifications.
3. Analyze all other addressable implementation specifications:
4. Implement compensating controls to accomplish the same goal, or
5. If safeguard cannot be implemented:
6. Document your risk analysis, security analysis, and financial impact.
7. Have an officer of your organization sign an acknowledgement and acceptance of the analysis and decision not to implement.

Additional Information

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf