Addressable versus required standards for small practices

Addressable and required standards are two distinct categories within the HIPAA Security Rule that outline how healthcare organizations should approach the safeguarding of electronic protected health information (ePHI).

The difference between addressable and required standards

Required standards are those that must be implemented by covered entities without exception. These standards specify specific security measures and procedures organizations must adopt to protect ePHI. Non-compliance with required standards is not an option and can lead to severe penalties if not adhered to.

On the other hand, addressable standards offer covered entities more flexibility and customization in implementing security measures. These standards require organizations to assess whether a specific security measure is "reasonable and appropriate" for their unique circumstances. They must either implement the addressable measure, adopt an equivalent alternative measure that achieves the same security goals, or justify why the standard isn't applicable. Addressable standards recognize that not all security measures fit every organization's needs or resources. 

See also: What is the difference between addressable and required implementation specifications?

Why these standards are different in smaller practices

The standards in smaller healthcare practices may differ primarily because of variations in the practice's size, resources, and complexity. Smaller practices often have fewer staff, limited budgets, and less technical infrastructure than larger healthcare organizations. As a result, the standards are designed to be more flexible and scalable, allowing smaller practices to implement security measures that are reasonable and appropriate for their specific circumstances.

Examples of HIPAA Security Rule standards 

Required standards

1. Risk analysis: Conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI.
2. Sanction policy: Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures.
3. Data backup plan: Establish and implement procedures to create and maintain retrievable exact copies of ePHI.
4. Business Associate Contracts: Obtain satisfactory assurances that business associates will appropriately safeguard ePHI.
5. Written contract or arrangements: Document the satisfactory assurances required by business associate contracts.

Addressable standards

1. Facility security plan: Implement policies and procedures to safeguard facilities from unauthorized physical access, tampering, and theft.
2. Maintenance records: Document repairs and modifications related to the security of physical components.
3. Workstation use: Specify proper functions, manner of use, and physical attributes of workstations accessing ePHI.
4. Person or entity authentication: Implement procedures to verify the identity of individuals or entities seeking access to ePHI.
5. Encryption: Implement encryption for ePHI transmission if deemed appropriate based on a risk analysis.

See also: What is the HIPAA Security Rule?

Addressable and required implementations

Identify applicable standards: Determine which security standards apply to your organization based on the nature of your operations, the systems you use, and the ePHI you handle. Each standard may have multiple implementation specifications.

Understand the difference: Grasp the distinction between addressable and required implementations. Required implementations are mandatory and must be implemented without exception. Addressable implementations provide some flexibility, allowing organizations to assess their specific circumstances and determine the reasonableness and appropriateness of implementation.

Assess the standard: For each applicable security standard, evaluate whether it contains only required or both required and addressable implementations. This will guide your subsequent steps.

Implement required implementations: If a security standard contains only required implementations, you must implement them without exception. Ensure these safeguards are in place to comply with the Security Rule.

Evaluate addressable implementations: If a security standard includes addressable implementations, conduct a thorough evaluation to determine the reasonableness and appropriateness of implementation in your organization's specific context. Consider the following factors, such as the feasibility of its implementation and its associated cost.

Document decision-making: Document your decision-making process for each addressable implementation. Clearly explain the rationale behind your determination, taking into account the factors mentioned above. Document alternative measures chosen or justifications for not implementing specific addressable measures.

Implement addressable measures: Based on your evaluation, implement the addressable measures deemed reasonable and appropriate for your organization. Ensure these measures are properly documented and integrated into your policies and procedures.

Utilizing HIPAA compliant email in small practices

HIPAA compliant email falls under the category of an addressable standard. While the HIPAA Security Rule doesn't specifically mandate email encryption, it requires covered entities to assess whether encryption is "reasonable and appropriate" for their organization based on a risk analysis. For small practices, this flexibility is valuable because it allows them to tailor their email security measures to their specific resources and needs. Implementing HIPAA compliant email solutions, such as encryption and access controls, can help small practices protect sensitive patient information during email communications.