Contrary to popular belief, addressable does NOT mean optional
|By: Tod Ferran|
AddressableAddressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.
For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).
What are my options with addressable HIPAA requirements?The HHS explains entities have three options with addressable implementation specifications.
- Implement the specification
- Implement alternative measures to accomplish the same purpose
- Not implement anything
What if I don't implement an addressable HIPAA requirement?Many small and medium practices believe they can just ignore addressable items. Addressable does not mean optional, and the decision not to address a specification should not be made casually.
IMPORTANT: If you decide not to implement an addressable item, you must fully document why you chose not to implement the specification, implement an alternative, or implement a partial solution. If you are forced to go through a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and determine if they agree with your decision. If you don’t have solid documentation that dictates the reason and business justification for disregarding the specification, you will be fined.
The decision not to implement an addressable item may be appropriate in some situations. Perhaps security measures are already in place that render this requirement moot, perhaps the security measures would actually decrease the overall security of PHI, or perhaps it simply doesn’t apply to your situation.
Here’s an example. If a small covered entity does not transmit PHI electronically outside their organization, addressable Integrity Control §164.312(e)(2)(i) and Encryption Control §164.312(e)(2)(ii) requirements are not applicable. This could apply to a dentist office that sends records by hand (vs. an Internet connection or email) to other covered entities.
In this specific case, staff should be interviewed to validate no data leakage occurs through any form of electronic transmission, and no extra data is received by contracted business associates.
You can’t be penalized for going above and beyond on addressable rules, but you can be penalized for accidentally (or purposefully) forgetting about one that applies to your entity. So if you aren’t sure if an addressable applies to you, do it anyway!
Here is a complete list of Addressable Implementation SpecificationsAdministrative
- Workforce Security
- Authorization and/or supervision
- Workforce clearance procedure
- Termination procedures
- Information Access Management
- Access authorization
- Access establishment and modification
- Security Awareness and Training
- Security reminders
- Protection from malicious software
- Log-in monitoring
- Password management
- Contingency Plan
- Testing and revision procedures
- Applications and data criticality analysis
- Facility Access Controls
- Contingency operations
- Facility security plan
- Access control and validation procedures
- Maintenance records
- Device and Media Controls
- Data backup and storage
- Access Control
- Automatic logoff
- Encryption and decryption
- Mechanism to authenticate electronic protected health information
- Transmission Security
- Integrity controls
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.