Understanding the HIPAA Security Rule Regarding Required vs. Addressable Implementation Specifications

Compliance with the requirements of the HIPAA Security Rule starts with understanding how it is constructed. The Security Rule is comprised of security standards and implementation specifications. Each Security Rule standard is a requirement: a covered entity must comply with all of the standards of the Security Rule with respect to the ePHI it creates, transmits or maintains. Many of the standards contain implementation specifications. An implementation specification is a more detailed description of the method or approach covered entities can use to meet the requirements of a particular standard.

The Security Rule is structured to be both scalable and flexible, so that covered entities of different types and sizes can implement the standards and implementation specifications in a manner that is reasonable and appropriate to their circumstances. HIPAA did not mandate the use of specific technologies or require uniform policies and procedures for compliance because the regulatory authorities recognized the diversity of regulated entities and appreciated the unique characteristics of their environments.

The Security Rule’s scalability and flexibility are made possible through the use of implementation specifications, each of which are labeled in the Rule as either “required” or “addressable.” The differences in these designations may be confusing so we’ll do a quick review of each.

Required: A “required” implementation specification is exactly that: required. In that regard, “required” implementation specifications are similar to standards. A covered entity must comply with required implementation specifications, and failure to do so is an automatic failure to comply with the HIPAA Security Rule.

  • An example of a “required” implementation specification is the requirement that all covered entities must conduct a security risk analysis of their ePHI in accordance with Section 164.308(a)(1) of the Security Rule.
  • The Security Rule is inflexible with regard to completing the security risk analysis.

Addressable: For “addressable” implementation specifications, the covered entity must assess whether the security safeguard is reasonable and appropriate in the entity’s environment.

  • An example of an “addressable” implementation specification is the requirement that all covered entities must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.
  • The Security Rule is flexible with regard to the use of encryption as it is allows reasonableness and appropriateness to be considered. In practice, this may lend support to a decision not to encrypt ePHI at rest within the confines of a data center while concluding that all portable workstation hard drives must be encrypted because of the risk that they may be lost or stolen.

It is important to remember that “addressable” does not mean “optional” when it comes to implementation specifications.

Assessing the Addressable Implementation Specifications: After performing the aforementioned assessment of addressable implementation specifications, the covered entity must decide whether it will:

  • Implement the implementation specification.
  • Implement an equivalent alternative measure that allows the entity to comply with the standard.
  • Not implement the implementation specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities are required to document their assessments and all decisions. Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is a factor that entities may consider in determining whether to implement a particular security measure, some appropriate measure must be implemented. The potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Related blog post: HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?

Leave a Reply

Your email address will not be published. Required fields are marked *