Contrary to popular belief, addressable does NOT mean optional.
In each HIPAA Security Rule, implementation specifications are either “addressable” or “required” HIPAA requirements and describe how standards should be executed.
“Required” rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. These mandatory rules represent 48% of the HIPAA Security Rule. “Addressable” constitutes 52% of Security Rule specifications, and many entities do not fully understand what that entails.
Addressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.
For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).
The HHS explains entities have three options with addressable implementation specifications.
Each entity must individually assess whether addressable specifications are reasonable and appropriate for their environment.
Many small and medium practices believe they can just ignore addressable items. Addressable does not mean optional, and the decision not to address a specification should not be made casually.
IMPORTANT: If you decide not to implement an addressable item, you must fully document why you chose not to implement the specification, implement an alternative, or implement a partial solution. If you are forced to go through a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and determine if they agree with your decision. If you don’t have solid documentation that dictates the reason and business justification for disregarding the specification, you will be fined.
The decision not to implement an addressable item may be appropriate in some situations. Perhaps security measures are already in place that render this requirement moot, perhaps the security measures would actually decrease the overall security of PHI, or perhaps it simply doesn’t apply to your situation.
Here’s an example. If a small covered entity does not transmit PHI electronically outside their organization, addressable Integrity Control §164.312(e)(2)(i) and Encryption Control §164.312(e)(2)(ii) requirements are not applicable. This could apply to a dentist office that sends records by hand (vs. an Internet connection or email) to other covered entities.
In this specific case, staff should be interviewed to validate no data leakage occurs through any form of electronic transmission, and no extra data is received by contracted business associates.
You can’t be penalized for going above and beyond on addressable rules, but you can be penalized for accidentally (or purposefully) forgetting about one that applies to your entity. So if you aren’t sure if an addressable applies to you, do it anyway!
.svg)
