Required vs. Addressable HIPAA

Contrary to popular belief, addressable does NOT mean optional

Tod Ferran, CISSP, QSA
By: Tod Ferran
In each HIPAA Security Rule, implementation specifications are either “addressable” or “required” and describe how standards should be executed.

Required vs. Addressable HIPAA

“Required” rules are quite cut and dried. Either you implement them, or you automatically fail to comply with the Security Rule. These mandatory rules represent 48% of the HIPAA Security Rule. “Addressable” constitutes 52% of Security Rule specifications, and many entities do not fully understand what that entails.


Addressable requirements are often technical, and allow organizations the flexibility to implement different security controls to accomplish the requirement’s objective.

For example, if I had addressable specifications to cook a turkey, I could cook it in the oven like the recipe dictates, or I could BBQ, deep-fry, smoke, or microwave it. It doesn’t matter how I cook it, just that it gets cooked (and doesn’t give me food-poisoning).

What are my options with addressable HIPAA requirements?

The HHS explains entities have three options with addressable implementation specifications.
  • Implement the specification
  • Implement alternative measures to accomplish the same purpose
  • Not implement anything
Each entity must individually assess whether addressable specifications are reasonable and appropriate for their environment.

What if I don't implement an addressable HIPAA requirement?

Many small and medium practices believe they can just ignore addressable items. Addressable does not mean optional, and the decision not to address a specification should not be made casually.

IMPORTANT: If you decide not to implement an addressable item, you must fully document why you chose not to implement the specification, implement an alternative, or implement a partial solution. If you are forced to go through a HIPAA audit, the Office for Civil Rights (OCR) will review your documentation and determine if they agree with your decision. If you don’t have solid documentation that dictates the reason and business justification for disregarding the specification, you will be fined.

The decision not to implement an addressable item may be appropriate in some situations. Perhaps security measures are already in place that render this requirement moot, perhaps the security measures would actually decrease the overall security of PHI, or perhaps it simply doesn’t apply to your situation.

Here’s an example. If a small covered entity does not transmit PHI electronically outside their organization, addressable Integrity Control §164.312(e)(2)(i) and Encryption Control §164.312(e)(2)(ii) requirements are not applicable. This could apply to a dentist office that sends records by hand (vs. an Internet connection or email) to other covered entities.

In this specific case, staff should be interviewed to validate no data leakage occurs through any form of electronic transmission, and no extra data is received by contracted business associates.

You can’t be penalized for going above and beyond on addressable rules, but you can be penalized for accidentally (or purposefully) forgetting about one that applies to your entity. So if you aren’t sure if an addressable applies to you, do it anyway!

Here is a complete list of Addressable Implementation Specifications

  • Workforce Security
    • Authorization and/or supervision
    • Workforce clearance procedure
    • Termination procedures
  • Information Access Management
    • Access authorization
    • Access establishment and modification
  • Security Awareness and Training
    • Security reminders
    • Protection from malicious software
    • Log-in monitoring
    • Password management
  • Contingency Plan
    • Testing and revision procedures
    • Applications and data criticality analysis
Physical Safeguards
  • Facility Access Controls
    • Contingency operations
    • Facility security plan
    • Access control and validation procedures
    • Maintenance records
  • Device and Media Controls
    • Accountability
    • Data backup and storage
Technical Safeguards
  • Access Control
    • Automatic logoff
    • Encryption and decryption
  • Integrity
    • Mechanism to authenticate electronic protected health information
  • Transmission Security
    • Integrity controls
    • Encryption
Was this post helpful? If so, please share!

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.