2 min read

What is the difference between addressable and required implementation specifications?

Picture of Kirsten Peremore Kirsten Peremore August 28, 2024

HIPAA compliance
Risk assessment flowchart with decision diamond showing Yes and No paths

Addressable and required implementations are two categories of security measures outlined in the Security Rule. Understanding the distinction between addressable and required implementations helps organizations focus on addressing the risks first.

 

Addressable v required implementations 

Required Implementations

HHS guidance provides that,If an implementation specification is described asrequired,the specification must be implemented.These measures are necessary for compliance with the Security Rule. Required implementations include:

  • Conducting a thorough risk analysis 
  • Implementing access controls
  • Implementing audit controls
  • Implementing physical safeguards
  • Implementing technical safeguards

Addressable Implementations

The same HHS guidance states thatThe concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards. 

Organizations must evaluate whether implementing an addressable measure is reasonable and appropriate in their environment. If it is, they must implement it. If it is not, they must document the rationale for not implementing it and implement an equivalent alternative measure if reasonable and appropriate. 

Addressable implementations include:

  • Implementing encryption
  • Implementing automatic logoff
  • Implementing a mechanism to authenticate ePHI
  • Implementing integrity controls.
  • Implementing contingency plans

Related: What is the HIPAA Security Rule?

 

Factors to consider when implementing addressable and required implementations

  1. Identify applicable standards: Determine which security standards are applicable to your organization based on the nature of your operations, the systems you use, and the ePHI you handle. Each standard may have multiple implementation specifications.
  2. Understand the difference: Grasp the distinction between addressable and required implementations. Required implementations are mandatory and must be implemented without exception. Addressable implementations provide some flexibility, allowing organizations to assess their specific circumstances and determine the reasonableness and appropriateness of implementation.
  3. Assess the standard: For each applicable security standard, evaluate whether it contains only required implementations or both required and addressable implementations.
  4. Implement required implementations: If a security standard contains only required implementations, you must implement them without exception.
  5. Evaluate addressable implementations: If a security standard includes addressable implementations, conduct a thorough evaluation to determine the reasonableness and appropriateness of implementation in your organization's specific context. 
  6. Document decision-making: Document your decision-making process for each addressable implementation. Clearly explain the rationale behind your determination, taking into account the factors mentioned above. Document alternative measures chosen or justifications for not implementing specific addressable measures.
  7. Implement addressable measures: Based on your evaluation, implement the addressable measures that are deemed reasonable and appropriate for your organization. 

Related: Understanding and implementing HIPAA rules

 

The concept of "reasonable and appropriate

The concept of "reasonable and appropriate" allows organizations to tailor their implementation approach based on their unique circumstances, capabilities, and risk profiles. It requires organizations to conduct a thorough risk analysis and consider factors such as cost, feasibility, industry standards, and best practices. The concept emphasizes a balanced and practical approach to implementing security measures. 

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is HIPAA? 

The Health Insurance Portability and Accountability Act is designed to protect patient privacy.

 

What is the Security Rule?

It establishes the standards for the protection of ePHI.

 

What is ePHI?

Any PHI created, stored, transmitted or received electronically. 
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
login on keyboard

Patient portals vs. email: Comparing security, costs and implementation

Gugu Ntsele : June 19, 2025

Patient portals were designed to provide patients with 24/7 access to their health information, appointment scheduling, prescription refills, and...

HIPAA compliant email Patient privacy
Read More
Paubox Zoom social mixer attendees

Paubox customers: Paubox Zoom social mixer (March 2026)

Picture of Dean Levitt Dean Levitt : March 19, 2026

At our March Zoom social mixer, the conversation focused on new Paubox features, AI implementation strategies for HIPAA compliance, and practical...

Paubox news
Read More
Image of a stack of papers and magnifying glass.

Understanding the HITRUST certification process

Lusanda Molefe : June 19, 2025

Organizations often underestimate the resources, time, and organizational change required to successfully complete the HITRUST certification process....

HIPAA compliance
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.