The HIPAA Security Rule—or the security standards for the protection of healthcare data, as it’s otherwise known—provides a set of regulations aimed at ensuring the protection of patients’ health information stored or transmitted in electronic form (ePHI). As an extension to the protections outlined in the HIPAA Privacy Rule, the Security Rule was intentionally designed to be flexible enough to accommodate the structure and size of any Covered Entity (CE) as well as advancements in technology and evolving cybersecurity threats.
With the rapid adoption of new technology in the healthcare industry, it’s more important than ever for CEs and Business Associates (BAs) today to understand an essential part of the rule—the difference between addressable and required implementation specifications.
What’s a Required Specification?
All CEs must comply with every “Standard” set forth in the Security Rule. There are two implementation specifications that fall under those standards—some required and some addressable.
Compliance with required specifications in HIPAA’s Security Rule is mandatory. An example of a required specification is the risk analysis that must be conducted—even by small providers—in accordance with Section 164.308(a)(1). Another example of a required specification is that a “unique user identification” is required to access ePHI. No questions, no discussion, these things are expected and required.
What’s an Addressable Provision?
Unlike required specifications, rules classified as addressable provisions are slightly different and provide a bit more flexibility. Addressable provisions, however, are not optional, and CEs and BAs must fully understand this. They must also understand the difference between and the nuances of both required and addressable provisions, in order to remain in compliance.
According to the Security Rule, “The concept of ‘addressable implementation specifications’ was developed to provide covered entities additional flexibility with respect to compliance with the security standards. This means CEs and BAs can approach specifications defined as addressable, from an assessment rather than mandated perspective, in order to determine whether the rule is appropriate and reasonable given their environment. In short, addressable provisions cover more of what needs to get done instead of how CEs are supposed to do it.
CEs have two choices after performing an assessment of the validity of the addressable provision within their organization: They can implement the specification without any modifications, or they can implement an equal yet alternative solution that also meets with compliance. Conversely, the CE can determine that equivalent measures are not reasonable and appropriate. (Note that technical infrastructure, resources, and cost are all factors that can be used to determine how reasonable or appropriate a solution is for an individual company.) Bear in mind, however, that CEs and BAs must provide documentation for all phases throughout the assessment and decision-making process—and this is a critical operational function.
As an example, according to the Security Rule, while encryption for data in transit is required, encryption for data at rest is addressable. However, that does not mean that entities can tread lightly when it comes to encrypting. If encryption is found to be reasonable and appropriate and, especially given today’s increasing number of access points to information, CEs should consider expanding encryption beyond ePHI into privileges and passwords.
What are the Ramifications of Being Non-Compliant?
The Department of Health and Human Services (HHS) provides education and training for CEs to make it easier for them to stay compliant with the Security Rule. As more technologies evolve, though (take mobile, for example), so do the threats to information stored digitally. Healthcare data has become more sought after than financial data, and one in three Americans suffered a breach in their healthcare information last year alone.
Entities that violate the Security Rule can face civil or even criminal penalties for noncompliance. Fines for civil penalties range from $25,000 to $1.5 million per calendar year, and criminal penalties range from $50,000 plus one year jail time to $250,000 and ten years incarceration.
Large breaches as a result of non-compliance also take more than a monetary toll on entities—in an industry where trustworthiness and professionalism reign supreme, failing to protect patient data in such a public way can severely damage a company’s reputation and, as a result, its bottom line.
Compliance is always necessary. It’s especially relevant today, as the second round of HIPAA audits are set to begin this year. Although only about 300 provider organizations across the country will be audited, it’s important for entities to prepare by conducting internal risk assessments, updating breach policies, and ensuring all written documentation is completed accurately. When in doubt, companies should act rather than debate what is addressable or required because, after all is said and done, HIPAA’s security standards only set a baseline—doing more to protect ePHI, and business interests, is always better than doing less. When it comes to the systems and processes you have in place to protect ePHI, how does your business stack up? Are you ready for an audit?
Additional Resources on This Topic: