DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HIPAA Security Rule contains a series of standards, such as the facility access controls standard and the device and media controls standard. Many standards contain "implementation specifications," which are measures for how to implement the standard (note that some standards, like the audit controls standard, do not contain implementation specifications. Compliance with such standards is required). When a standard contains implementation specifications, the language "implementation specifications" appears in the text of the standard. Implementation specifications are required or addressable. If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.
This article discusses the distinction between required standards and addressable standards.
What is the General Rule for Required Standards?
When a specific standard includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
What is the General Rule for Addressable Standards?
The fact that covered entities and business associates must adopt required standards, does not mean that covered entities and business associates are free to not adopt addressable standards.
Rather, when a specific standard includes addressable implementation standards, a covered entity or business associate must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.
Per HHS guidance, covered entities and business associates must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. The decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity or business associate makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article