The Health Insurance Portability and Accountability Act (HIPAA) was signed into effect in 1996 with the goal of protecting the privacy and individual rights of healthcare patients. Since then, it's been updated several times, with one of the most notable changes being the addition of the Security Rule. The Security Rule differs from the Privacy Rule in the sense that it focuses specifically on Electronic Protected Health Information (ePHI). In comparison, the Privacy Rule pertains to all forms of Protected Health Information (PHI).
When scouring through the details of the HIPAA Security Rule, however, you'll notice that specifications are listed as either “required” or “addressable.” It's important for doctors and other covered entities to understand the nuances between these two terms; otherwise, they risk violations that could lead to hefty fines and other corrective actions later down the road. So, what's the difference between addressable and required specifications in the HIPAA Security Rule?
The Department of Health and Human Services (HHS) explains that addressable specifications were developed to provide covered entities with greater flexibility in regards to compliance with the security standards. This is in stark contrast to a required specification, which lives up to its namesake by being a requirement for compliance with the HIPAA Security Rule.
When a covered entity encounters an addressable specification, it must perform one of the following:
- Implement the addressable specification.
- Implement one or more alternative measures that accomplishes the same task as the addressable specification.
- Not implement the addressable specification, nor an alternative measure that accomplishes the same task.
Regardless of which decision you make, you must document it. The Security Rule requires covered entities to document their decision. So whether you decide to implement the addressable specification, implement one or more alternative measures, or avoid implementation of altogether, be sure to document your actions.
Furthermore, covered entities must decide whether or not an addressable specification is reasonable and appropriate to implement. The HHS explains that even addressable specifications are required under certain circumstances.
“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative,” explains the HHS.