In today’s article, we will be discussing the differences between required and addressable HIPAA compliance implementation specifications. Contrary to what most people assume, “addressable” does not mean “optional”. Each of the HIPAA Security Rule’s implementation specifications describes how standards should be executed, but they are categorized as either “required” or “addressable”.
The HIPAA Security Rule sets forth the standards for the protection of healthcare data through a series of regulations aimed at ensuring the integrity, security, and confidentiality of protected health information stored or transmitted in electronic form (ePHI). As an extension to the implementations outlined in the HIPAA Privacy Rule, the Security Rule was devised to be flexible to accommodate various sizes and structures of any Covered Entity (CE), as well as, emerging technologies and progressive cybersecurity threats.
With the rapid adoption of emerging technologies in the healthcare industry, it is vital for Covered Entities, and Business Associates (BAs) as well, to know the main differences between required and addressable HIPAA requirements.
“Required” HIPAA specifications
The word “required” itself is pretty much self-explanatory. Required specifications must be implemented, or organizations will simply fail to comply with the HIPAA Security Rule. The mandatory implementation requirements account for 48% of the HIPAA Security Rule, while “addressable” constitutes 52% of the rule’s specifications. Not many people understand what this entails.
“Addressable” HIPAA Specifications
Unlike the required specifications, rules that are itemized as “addressable” are slightly different and offer more flexibility. These are not, however, optional. CEs and BAs must fully understand this. While often being technical, addressable specifications allow organizations the flexibility to implement various security measures to accomplish the objectives of the requirements.
As an example, if you were given addressable specifications to surprise and present someone with a birthday cake, you can either make it yourself or buy one from a store. It doesn’t matter as long as the person receives the gift.
What are the available options for HIPAA Addressable Specifications?
According to the HHS, entities have three options at their disposal:
- Implement the “addressable” specifications.
- Use different methods to accomplish the same purpose.
- Not implement them.
Each organization must assess whether an “addressable specification” is appropriate and reasonable for their practice.
What happens if I don’t implement an “addressable specification”?
Many small to medium-sized organizations simply ignore the addressable specifications. However, the decision to not implement an addressable requirement cannot be made casually.
For each addressable specification not implemented, organizations must describe and fully document why they chose to either not implement them, use a different method, or implement a partial solution.
In case your organization faces a HIPAA audit, the Office for Civil Rights (OCR) will review all the documentation and will determine whether your decision is appropriate or not. Without concrete documentation, OCR may assume you have disregarded or willfully neglected the specifications, and you will be fined.
The decision to not implement the “addressable” items may be appropriate under certain circumstances. For example, the specification might actually decrease the security of PHI (protected health information), security measures already implemented may render the “addressable” requirement moot, or it just simply does not apply to your situation.
On an important note, organizations will never be fined for going over the top with security measures. However, accidentally or purposely forgetting about one that applies to your practice can result in severe consequences. Therefore, it is always best to implement them if you are not sure.
What are the “addressable” components?
The implementation safeguards under the HIPAA Security Rule are broken down into three parts: Administrative, Technical, and Physical.
Here is a list of “addressable” items-
- Authorization and/or supervision
- Workforce clearance procedure
- Termination procedures
Information Access Management
- Access authorization
- Access modification and establishment
Security and Awareness Training
- Security reminders
- Protection from malicious software
- Log-in monitoring
- Password Management
- Testing and revision procedures
- Applications and data criticality analysis
Facility Access Control
- Facility security plans
- Maintenance records
- Access control and validation procedures
- Contingency operations
Device and Media Controls
- Data backup and storage
- Automatic logoff
- Encryption and decryption
- Tools to authenticate electronic protected health information
- Integrity Controls
Compliance is always important. When in doubt, organizations should simply take action rather than debate what is addressable or required. Companies tend to ignore the addressable requirements because they want to avoid extra burden. However, with HIPAA Ready, organizations can streamline all their compliance efforts from a single centralized platform – reducing complexities and administrative burden throughout the process.
Why choose HIPAA Ready?
Save time – Combines all the compliance management modules and allows organizations to manage compliance more effectively and efficiently from a single centralized platform.
Reduce Paperwork – Avoid the hassle of unnecessary paperwork and administrative work hours to manage HIPAA compliance in a fast and efficient manner, freeing up extra time so that employees can also focus on other required tasks.
Remote Access – Users can access all the information and run reports using mobile devices and web browsers from anywhere 24/7. It helps to keep users up to date with the latest guidelines so that appropriate changes can be made quickly and effortlessly.