The HIPAA security rule can be very confusing when you are reading it. The HIPAA security rule implementation has procedures listed as either required or addressable. I think “addressable” versus “required” is extra confusing. We all know what required is, but what exactly does addressable mean?
Oftentimes addressable is construed as optional. This is absolutely not the case. For a specification that is addressable you must either:
- Implement the specification
- Find an alternate way to implement the specification
- Decide not to implement the specification.
Wait. That makes me think it is optional. Obviously if we go with option 1 we have implemented the addressable specification, so we can just check that one off the list and move forward. If we go with option 2 we have made a decision to address the specification differently but will end up with the same end result. Think of this like taking an alternative route because traffic is busy. You may drive around the block differently to get there, but you arrive at the same destination.
What if we go for option 3? Doesn’t that mean it is optional? In a way it does feel like that. This part of the rule was written to allow the flexibility to be able to analyze and make a decision if the specification cannot be met. You must do a risk assessment and out of the risk assessment you would determine if the addressable specification is reasonable and appropriate. The assessment would include cost, size, resources, etc. Everything must be documented as to why this measure is not being implemented.
The formal risk assessment is an excellent place to document why you did not implement an addressable specification. You want to make sure that you document why this is unreasonable or inappropriate. What you don’t want to do is simply look at something that is addressable, view it as optional and, therefore not implement it. For example, you saw the yield sign but just kept going without looking and ran into someone’s car. That would be just making the yield sign optional and ignoring it.
For more information, check out http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html.
No related posts.