The HIPAA Security Final Rule comprises Standards (what must be done) and Implementations Specifications (how it must be done) for creating policies, procedures and practices to prevent, detect, contain and correct security violations.

Implementation specifications are indicated as required or addressable.  As organizations work towards HIPAA-HITECH compliance, it is important to understand the difference.

A covered entity or business associate must comply with a required implementation specification must.  For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:

• Implement the addressable implementation specification as stated;
• Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
• Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities and business associates are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.

An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Our advice…

• Don’t waste time debating about ‘addressable’ versus ‘required’.
• Just do it! – the vast majority of the standards specifications make good business sense.
• HIPAA Security Standards set a “floor” or “baseline” for security
• Don’t make the mistake of thinking ‘addressable’ means ‘optional’; it does not!
• Check out our HIPAA-HITECH compliance software to jump-start your program

Tags: Business Associates, Covered Entities, HIPAA, hipaa compliance, hipaa compliance software, HIPAA-HITECH
Posted in News | Comments Off

Bob Chaput wrote this blog. Bob is president of Data Mountain LLC, a data security, disaster recovery and data protection services firm. Data Mountain specializes in helping Covered Entities and Business Associates assure they are compliant with the Contingency Plan Standard of the HIPAA Security Law and The HITECH Act.

View HIPAA Security Assessment ToolKit™ Video

Whether you’re a Covered Entity (CE), a Business Associate (BA) or a subcontractor, if you receive, store, process or transmit ePHI, you need to attend this webinar. No matter where you are in your HIPAA-HITECH compliance journey, you will benefit from specific, actionable ideas on how to: Jump-start your program Revitalize your compliance efforts Update your program with HITECH requirements Develop an internal benchmarking system Implement safeguards as soon as possible Evaluate current administrative, physical and technical safeguards

• Review the HIPAA Security Final Rule
• Learn about major changes brought about by The HITECH Act
• Learn about the new Civil Monetary Penalty System
• Learn practical, actionable steps to take today to mitigate risk and help assure compliance
• View a demo of our HIPAA-HITECH Security Assessment ToolKit™

We would love to hear your thoughts. Please comment below!

Tags: data protection services, data security, disaster recovery, hipaa compliance, hipaa compliance software, HIPAA Security, hipaa security assessment, HIPAA Security Law, HIPAA-HITECH, hipaa-hitech assessment, The HITECH Act
Posted in News | Comments Off

Bob Chaput wrote this blog. Bob is president of Data Mountain LLC, a data security, disaster recovery and data protection services firm. Data Mountain specializes in helping Covered Entities and Business Associates assure they are compliant with the Contingency Plan Standard of the HIPAA Security Law and The HITECH Act.