HIPAA Security Addressable or Required
The HIPAA Security Rule contains several implementation specifications that are labeled as Addressable or Required specifications.
Required – If an implementation specification is described as “required,” the specification MUST be implemented.
Addressable – The concept of “addressable implementation specifications” was developed to provide Covered Entities (CEs) and their Business Associates (BAs) additional flexibility with respect to compliance with the security standards.
In meeting standards that contain addressable implementation specifications, a CE or BA will do one of the following for each addressable specification:
(a) implement the addressable implementation specifications;
(b) implement one or more alternative security measures to accomplish the same purpose;
(c) not implement either an addressable implementation specification or an alternative.
Each CE or BA must evaluate whether a given addressable implementation specification is a reasonable and appropriate security measure to implement within their particular security framework.
For example, a CE or BA must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.
The decision to implement an addressable implementation specification will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
Don’t forget each choice must be documented.
The decisions an organization makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment (analysis) on which the decision was based.
Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!
Episode 37: Know The Rules! What are HIPAA Security Standards Anyway? | HIPAA alli
[…] An implementation specification is a more detailed description of the method or approach CEs and BAs can use to meet a particular standard. Implementation specifications are either required or addressable. […]
HIPAA Policies and Procedures | HIPAA alli
[…] Policies and Procedures requirement include: Note: (R) = Required (A) = […]
HIPAA Security Management Process | HIPAA alli
[…] are four required implementation specifications in the HIPAA Security Management Process […]
Episode XX: Know The Rules! Workforce Security | HIPAA alli
[…] Security consists of three addressable implementation […]
HIPAA Security Technical Safeguards | HIPAA alli
[…] Technical safeguards and their implementation specifications are: Note: (R) = Required (A) = […]
Episode 61: Know The Rules! Device and Media Controls - Part 1 | HIPAA alli
[…] of the Physical Safeguards and their implementation specifications are: Note: (R) = Required (A) = […]
Ep. 71: Know The Rules! HIPAA Risk Analysis | HIPAA alli
[…] (BA) that creates, receives, maintains, or transmits protected health information (PHI) is required to perform a complete and thorough HIPAA Risk […]