Demystifying the HIPAA Security Rule implementation specifications

The HIPAA Security Rule is a set of standards for safeguarding electronic protected health information or ePHI. The standards instruct organizations how to safely handle ePHI in general, and how to implement the security rule standards through two kinds of measures — addressable and required implementation specifications. The ultimate goal of these regulations is to keep sensitive health information out of the hands of unauthorized individuals.

What is the purpose of implementation specifications within the HIPAA Security Rule?

The HIPAA Security Rule’s implementation specifications were designed to offer a more customizable and scalable implementation of security measures that cater to different types of businesses, including emerging technology, and different business sizes. The reason behind this flexibility is to protect ePHI from evolving cyber threats while allowing organizations to adopt new technology that supports more efficient, quality patient care.

Covered entities (CEs) and business associates (BAs) must comply with the standards that are included in the HIPAA Security Rule. However, within each standard, the implementation specifications describe how organizations can go about implementing and meeting each standard. This gives an organization’s security officer, for instance, more scope to execute the standards in the most appropriate way to protect ePHI within their business.

HIPAA Security Rule implementation specifications

What is HIPAA Compliance

There are two types of implementation specifications within the HIPAA Security Rule: required and addressable. Companies have to implement the required specifications, like a disaster recovery plan. However, there is more leeway with the addressable specifications, such as security and awareness training on password management.

For addressable specifications, organizations first need to assess whether the specification is relevant to their business by asking questions like:

  • Will the specification improve the security of our ePHI or push up the risk?
  • What are the cost implications?
  • Do we have the necessary technical infrastructure in place?
  • Do we have the necessary resources to implement it?

If implementing a particular addressable specification is not reasonable or appropriate, document the findings and info that support that decision. In this case, CEs or BAs may choose to implement an equivalent measure that achieves the same result, or not implement that specification at all.

Difference between required specifications and addressable specifications

Companies have to implement the required specifications. The addressable specifications are different. They are not mandatory, but CEs and BAs cannot just ignore the addressable measures. In this case, organizations need to assess whether an addressable specification is reasonable and appropriate for their business.

For instance, a small healthcare provider and a large hospital network will not have the same resources to implement policies or security measures. Once they’ve decided whether it’s relevant or not, they choose whether to implement it or achieve the same result using another method.

Required HIPAA implementation specifications

The required specifications are ones that businesses must fulfill. If any covered entity that works with ePHI does not implement the required measures, they are not complying with the HIPAA Security Rule and the potential risks of penalties and reputational damage.

Civil penalties for HIPAA violations

If we look at an example, one of the standards — Access control (§ 164.312(a)) — includes this required implementation specification: Ensure that all system users have been assigned a unique identifier. It makes sense that this type of specification is required as it enables an organization to identify and track every user on their system and have electronic records in their system logs that will be needed in case of an audit.

Addressable HIPAA implementation specifications

Organizations have more flexibility when it comes to addressable specifications. They can assess whether each addressable specification is something that’s needed in their workflows or operations, and how they will reach the particular goal of each specification.

A covered entity or business associate can implement a security rule standard in a way that best suits their business and industry, to provide the maximum safety for their ePHI.

An example of addressable specifications, from the same standard on access control is: Automatic Logoff and Encryption and Decryption. In this case, organizations can assess whether this level of security is necessary for their business.

If they transmit ePHI to other sub-contractors or their users work in a large, busy work environment, they’ll likely need to implement these addressable specifications or an alternative solution that will achieve the goal of the standard.

Are addressable implementation standards compulsory?

While the required specifications must all be followed, there is more flexibility with the addressable specifications. However, they are not optional. Organizations need to decide whether each addressable measure fits their organization, and then decide, based on detailed analysis, whether to implement the addressable specification or implement alternative security measures that achieve the same end.

The importance of supporting documentation

It’s always best to be extremely prepared regarding compliance matters. HIPAA standards are no exception. Some CEs or BEs implementing the Security Rule’s addressable specifications may decide it’s best to implement alternate solutions (that still achieve the same end goal), or possibly not implement one of the addressable standards at all.

In this case, it’s vital to keep detailed written documentation that demonstrates your thinking behind that decision, and the results of your analysis, such as a risk assessment, that support your decision. That way, you’ll have the necessary evidence to support a compliance audit or a review by the Office of Civil Rights (OCR).

Ultimately, covered entities and business associates need to be compliant with the HIPAA Security Rule and required standards. By educating the workforce, putting in technical and administrative safeguards, creating and maintaining detailed documentation, and performing regular risk analysis, your business can protect its ePHI and avoid unnecessary penalties.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance