ATG HIPAA Security Rule Alerts
Alert #5
Covered Entities Must Understand Addressable versus Required Specifications
Covered Entities (CEs) must comply with all of the basic requirements in the Security Rule. However, the final Rule provides guidance on which are "Required Implementation Specifications" versus those which are "Addressable Implementation Specifications"; that is, those which may be implemented depending on the organization's environment, configuration, and other factors. The "Addressable" specifications are not specifically mandated, but instead are provided as suggested means to achieve compliance that must be addressed in some fashion. This approach allows individual organizations to assess their risks and implement elements of the Security Rule that they decide are "reasonable and appropriate." All decisions and rationale regarding addressable specifications must be documented.
Covered Entities Must Understand Addressable versus Required Specifications
For each addressable specification, the CE may evaluate whether the recommendation is reasonable and appropriate given the entity's unique environment. Factors involved in determining whether a guideline is reasonable and appropriate include the results of a risk analysis, any risk mitigation strategy, what security measures are already in place, the cost of implementation, and similar factors.
If the CE determines:
Then:
Specification is reasonable and appropriate...
Specification must be implemented as indicated.
Specification is not reasonable and appropriate and can document why not...
CE is free to implement any alternative believed to be reasonable and appropriate
Specification is not applicable in a given situation and, if properly documented...
CE may meet the requirement without taking any additional action
THE LAW
Office of the Secretary
45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule 4717
Subpart C-Security Standards for the Protection of Electronic Protected Health Information
¤ 164.306 Security standards: General rules.
...(c) Standards. A covered entity must comply with the standards as provided in this section and in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, and ¤ 164.316 with respect to all electronic protected health information.
(d) Implementation specifications. In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, or ¤ 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(1) When a standard adopted in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, or ¤ 164.316 includes addressable implementation specifications, a covered entity must-
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity-
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate-
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Back to ATG HIPAA Security Alerts
Office of the Secretary
45 CFR Parts 160, 162, and 164
Health Insurance Reform: Security Standards; Final Rule 4717
Subpart C-Security Standards for the Protection of Electronic Protected Health Information
¤ 164.306 Security standards: General rules.
...(c) Standards. A covered entity must comply with the standards as provided in this section and in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, and ¤ 164.316 with respect to all electronic protected health information.
(d) Implementation specifications. In this subpart:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, or ¤ 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(1) When a standard adopted in ¤ 164.308, ¤ 164.310, ¤ 164.312, ¤ 164.314, or ¤ 164.316 includes addressable implementation specifications, a covered entity must-
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and
(ii) As applicable to the entity-
(A) Implement the implementation specification if reasonable and appropriate; or
(B) If implementing the implementation specification is not reasonable and appropriate-
(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and
(2) Implement an equivalent alternative measure if reasonable and appropriate.