Therapy Comply - What is the Difference Between “Required” and “Addressable” Specification in the HIPAA Security Rule?

Upcoming Webinars

OSHA Requirements for Therapy Practices and Facilities

29 May 2024 12:00 PM (CDT)
OSHA Requirements for Therapy Practices and Facilities

30 May 2024 12:00 PM (EDT)

Site Updates

Short Webinar - Medicare Assistants in 2024

6 May 2024 7:47 AM

Zachary Edgar
2024 Q2 NCCI Updates

18 Mar 2024 4:28 PM

Zachary Edgar
North Carolina Physical Therapy Compliance Guides

18 Mar 2024 3:57 PM

Zachary Edgar
Illinois Physical Therapy Compliance Guides

12 Mar 2024 12:00 PM

Zachary Edgar
Congress Reduces Medicare Rate Cut

9 Mar 2024 11:22 AM

Zachary Edgar

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Home
HIPAA
HIPAA Blog
What is the Difference Between “Required” and “Addressable” Specification in the HIPAA Security Rule?

Back to list

What is the Difference Between “Required” and “Addressable” Specification in the HIPAA Security Rule?

17 Jul 2019 1:18 PM | Zachary Edgar (Administrator)

The purpose of the Health Insurance Portability and Accountability (HIPAA) Security Rule is to:

Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity (healthcare provider, health plan) or business associate creates, receives, maintains, or transmits;
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
Ensure compliance of the covered entity’s workforce. 45 C.F.R. §164.306.

The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. Each one of these sections has multiple “standards” that must be followed by the covered entity. Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”.

A “required” implementation specification must be implemented by the covered entity.

An “addressable” implementation specification is more flexible, but it is not optional. A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

Implement the addressable implementation specification;
Implement an equivalent alternative measure that allows the entity to comply with the standard; or
Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities must document the assessment and decision made regarding each specification.

If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
The entity’s financial analysis - How much will implementation cost?

Citation

45 CFR §164.306

U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

NIST SP 800-66

Therapy Comply does not claim copyright over US Federal and State materials

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars. Members also have access to compliance and billing support.

Join Today

Find Us