The HIPAA Security Rule consists of a series of standards, which covered entities and their business associates must follow to safeguard the privacy of individuals’ electronic protected health information (ePHI). Each Security Rule standard is a requirement. Covered entities and business associates must comply with all of the standards of the Security Rule with respect to the ePHI they create, receive, transmit, or maintain. Many of the standards contain implementation specifications. Implementation specifications are more detailed descriptions of the method or approach covered entities can use to meet the requirements of a particular standard.

What Kinds of Implementation Specifications Exist?

There are two types of implementation specifications under the HIPAA Security Rule. Implementation specifications include required implementation specifications and addressable implementation specifications.

What are Required Implementation Specifications?

If an implementation specification is described as “required,” the covered entity must implement the specification. If the covered entity does not implement the specification, the covered entity has not taken all measures required under the Security Rule to protect the confidentiality, integrity, and availability of ePHI. 

The following is an example of a required implementation specification:

45 CFR 164.308 is a particular regulation under the Security Rule. The name of this regulation “Administrative Safeguards.” Administrative safeguards consist of a series of standards.

45 CFR 164.308 contains eight standards in total. The first of these standards is known as the security management process. The security management process standard requires that a covered entity implement policies and procedures to prevent, detect, contain, and correct security violations.

The security management process standard contains four implementation specifications. These are:

(A)Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

(B)Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. 

(C)Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

(D)Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

These four implementation standards, risk analysis, risk management, sanction policy, and information system activity review, are all designated (as shown above) as “required.” Since these implementation specifications are described as “required,” the covered entity must implement them. 

What are Addressable Implementation Specifications?

The fourth standard of the eighth standard mentioned above is known as the information access management standard. The information access management standard requires covered entities to implement policies and procedures for authorizing access to electronic protected health information.

The information access management standard contains three implementation specifications. These are:

(A)Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

(B)Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

(C)Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity‘s access authorization policies, establish, document, review, and modify a user‘s right of access to a workstation, transaction, program, or process.

The first of these standards, “isolating health care clearinghouse functions,” is required, and must be implemented. The remaining two standards, “access authorization” and “access establishment and modification,” are addressable. 

Addressable implementations were developed to provide covered entities with additional flexibility to achieve compliance with the security standards.

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:

• Implement the addressable implementation specifications; or
• Implement one or more alternative security measures to accomplish the same purpose; or
• Not implement either an addressable implementation specification or an alternative.

Whichever choice the covered entity makes, the covered entity must document that choice. In making its choice, the covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. 

For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. 

This decision will depend on a variety of factors, such as, among others:

• The entity’s risk analysis;
• The entity’s risk mitigation strategy; 
• What security measures are already in place; and
• The costs of implementation

As noted above, the decisions that a covered entity makes regarding addressable specifications must be documented. The documentation must be in writing. The  written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.