Addressable and Required: Know the Difference
When it comes to the HIPAA Security Rule Covered Entities (CEs) and their third-party vendors, referred to as regulated entities by the Department of Health and Human Services, are required to comply with every Security Rule “Standard.” Some of those standards are categorizes are addressable and required.
Addressable and Required Breakdown
The HIPAA Security Rule contains several implementation specifications that are labeled as Addressable or Required specifications.
Required – If an implementation specification is described as “required,” the specification MUST be implemented.
Addressable – The concept of “addressable implementation specifications” was developed to provide providers and their third-party vendors additional flexibility with respect to compliance with the security standards. One important thing to remember, “addressable” designation does not mean that an implementation specification is optional.
HHS to the Rescue
Luckily HHS has come to our rescue in the response to the following frequently asked question:
“What is the difference between addressable and required implementation ns in the Security Rule?”
Below is a breakdown of their response:
If the standard is not reasonable and appropriate, the Security Rule allows the regulated entity to adopt an alternative measure to achieve the purpose of the standard if the alternative measure is reasonable and appropriate 45 C.F.R. § 164.306(d).
In meeting standards that contain addressable implementation specifications, a regulated entity will do one of the following for each addressable specification:
- Implement the addressable implementation specifications
- Implement one or more alternative security measures to accomplish the same purpose
- Not implement either an addressable implementation specification or an alternative
Each regulated entity must evaluate whether a given addressable implementation specification is a reasonable and appropriate security measure to implement within their particular security framework.
HHS provides the following example:
A regulated entity must implement an addressable implementation specification if it is reasonable and appropriate to do so and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.
The decision to implement an addressable implementation specification will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.
It's All in the Documentation
Don’t forget each choice must be documented. After all you don’t want the HHS auditor to say “I find your lack of documentation disturbing.”
The decisions a regulated entity makes regarding addressable specifications must be documented in writing. Written documentation should include the factors considered as well as the results of the risk assessment (analysis) on which the decision was based.
Something to Ponder
The HIPAA security risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore your need to be HIPAA compliant! Any device or media that contains protected health information (PHI) needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!