What is the difference between addressable and required implementation specifications?

Addressable and required implementations are two categories of security measures outlined in the Security Rule. Understanding the distinction between addressable and required implementations helps organizations focus on addressing the risks first.

Addressable v required implementations 

Required Implementations

HHS guidance provides that, “If an implementation specification is described as “required,” the specification must be implemented.” These measures are necessary for compliance with the Security Rule. Required implementations include:

• Conducting a thorough risk analysis 
• Implementing access controls
• Implementing audit controls
• Implementing physical safeguards
• Implementing technical safeguards
  
  

Addressable Implementations

The same HHS guidance states that “The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards.” 

Organizations must evaluate whether implementing an addressable measure is reasonable and appropriate in their environment. If it is, they must implement it. If it is not, they must document the rationale for not implementing it and implement an equivalent alternative measure if reasonable and appropriate. 

Addressable implementations include:

• Implementing encryption
• Implementing automatic logoff
• Implementing a mechanism to authenticate ePHI
• Implementing integrity controls.
• Implementing contingency plans

Related: What is the HIPAA Security Rule?

Factors to consider when implementing addressable and required implementations

1. Identify applicable standards: Determine which security standards are applicable to your organization based on the nature of your operations, the systems you use, and the ePHI you handle. Each standard may have multiple implementation specifications.
2. Understand the difference: Grasp the distinction between addressable and required implementations. Required implementations are mandatory and must be implemented without exception. Addressable implementations provide some flexibility, allowing organizations to assess their specific circumstances and determine the reasonableness and appropriateness of implementation.
3. Assess the standard: For each applicable security standard, evaluate whether it contains only required implementations or both required and addressable implementations.
4. Implement required implementations: If a security standard contains only required implementations, you must implement them without exception.
5. Evaluate addressable implementations: If a security standard includes addressable implementations, conduct a thorough evaluation to determine the reasonableness and appropriateness of implementation in your organization's specific context. 
6. Document decision-making: Document your decision-making process for each addressable implementation. Clearly explain the rationale behind your determination, taking into account the factors mentioned above. Document alternative measures chosen or justifications for not implementing specific addressable measures.
7. Implement addressable measures: Based on your evaluation, implement the addressable measures that are deemed reasonable and appropriate for your organization. 

Related: Understanding and implementing HIPAA rules

The concept of "reasonable and appropriate" 

The concept of "reasonable and appropriate" allows organizations to tailor their implementation approach based on their unique circumstances, capabilities, and risk profiles. It requires organizations to conduct a thorough risk analysis and consider factors such as cost, feasibility, industry standards, and best practices. The concept emphasizes a balanced and practical approach to implementing security measures. 

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is HIPAA? 

The Health Insurance Portability and Accountability Act is designed to protect patient privacy.

What is the Security Rule?

It establishes the standards for the protection of ePHI.

What is ePHI?

Any PHI created, stored, transmitted or received electronically.