The HIPAA Security Rule’s implementation specifications are each labeled as either “required” or “addressable.” The differences in these designations may be confusing so we’ll do a quick review of each.
A “required” implementation specification is exactly that: required. Failure to include this specification is an automatic failure to comply with the HIPAA Security Rule.
If an implementation specification is labeled as “addressable,” then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity’s environment. After analyzing the specification, the covered entity then decides if it is reasonable and appropriate to include.
If yes: The entity must implement the specification.
If no, the entity must:
- Document the rationale supporting the decision not to implement the specification;
- If appropriate, implement an equivalent alternative measure; OR,
- Do not implement the specification or an alternative as long as equivalent measures are not reasonable and appropriate within the entity’s environment.
It is important to remember that “addressable” implementation specifications are not “optional,” and equally important to ensure that decisions not to implement them are documented. The entity’s formal security risk analysis document is a good place to document such decisions.
When in doubt, include all “addressable” implementation specifications. An organization can’t go wrong with including all of the Security Rule’s implementation specifications.