Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

What is the difference between addressable and required implementation specifications?

Picture of Kirsten Peremore Kirsten Peremore July 05, 2023

HIPAA Compliance
What is the difference between addressable and required implementation specifications?

Addressable implementations and required implementations are two categories of security measures outlined in the Security Rule. Understanding the distinction between addressable and required implementations helps organizations focus on addressing the most significant risks first.

 

Addressable v required implementations

Required Implementations

Required Implementations are security measures that must be implemented by covered entities and business associates without any exceptions. These measures are essential safeguards for protecting electronic protected health information (ePHI). They are necessary for compliance with the Security Rule. 

Required implementations include

  • Conducting a thorough risk analysis 
  • Implementing access controls
  • Implementing audit controls
  • Implementing physical safeguards
  • Implementing technical safeguards

 

Addressable Implementations

These are security measures that are not mandatory in all cases. Organizations have some flexibility in how they address these measures, depending on their specific circumstances. Organizations must evaluate whether implementing an addressable measure is reasonable and appropriate in their environment. If it is, they must implement it. If it is not, they must document the rationale for not implementing it and implement an equivalent alternative measure if reasonable and appropriate. Addressable implementations include

  • Implementing encryption
  • Implementing automatic logoff
  • Implementing a mechanism to authenticate ePHI
  • Implementing integrity controls.
  • Implementing contingency plans

Related: What is the HIPAA Security Rule?

 

Factors to consider when implementing addressable and required implementations

  1. Identify applicable standards: Determine which security standards are applicable to your organization based on the nature of your operations, the systems you use, and the ePHI you handle. Each standard may have multiple implementation specifications.
  2. Understand the difference: Grasp the distinction between addressable and required implementations. Required implementations are mandatory and must be implemented without exception. Addressable implementations provide some flexibility, allowing organizations to assess their specific circumstances and determine the reasonableness and appropriateness of implementation.
  3. Assess the standard: For each applicable security standard, evaluate whether it contains only required or both required and addressable implementations. This will guide your subsequent steps.
  4. Implement required implementations: If a security standard contains only required implementations, you must implement them without exception. Ensure these essential safeguards are in place to comply with the Security Rule.
  5. Evaluate addressable implementations: If a security standard includes addressable implementations, conduct a thorough evaluation to determine the reasonableness and appropriateness of implementation in your organization's specific context. Consider the following factors, such as the feasibility of its implementation and its associated cost.
  6. Document decision-making: Document your decision-making process for each addressable implementation. Clearly explain the rationale behind your determination, taking into account the factors mentioned above. Document alternative measures chosen or justifications for not implementing specific addressable measures.
  7. Implement addressable measures: Based on your evaluation, implement the addressable measures deemed reasonable and appropriate for your organization. Ensure these measures are properly documented and integrated into your policies and procedures.

Related: Understanding and implementing HIPAA rules

 

The concept of "reasonable and appropriate" 

The concept of "reasonable and appropriate" allows organizations to tailor their implementation approach based on their unique circumstances, capabilities, and risk profiles. It requires organizations to conduct a thorough risk analysis and consider factors such as cost, feasibility, industry standards, and best practices. The concept emphasizes a balanced and practical approach to implementing security measures. 

 

Potential consequences or penalties for non-compliance

Failure to comply with required implementation specifications, which are mandatory safeguards, can result in severe penalties, including monetary fines and legal action. These penalties are imposed because required implementations are essential for protecting electronic protected health information (ePHI). Non-compliance with addressable implementation specifications, on the other hand, does not automatically lead to penalties. 

However, organizations must be prepared to demonstrate that their chosen alternative measures are reasonable and appropriate based on their specific circumstances. Non-compliance with addressable implementations can still be scrutinized during audits and compliance assessments, potentially leading to penalties if the chosen alternatives are deemed insufficient or unreasonable. 

Related: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.