What is the difference between HIPAA “required” and “addressable” security measures?

For healthcare professionals, HIPAA guides many of the processes and procedures performed on a day-to-day basis. Understanding the Act and being in compliance with its rules is mandatory to ensure the long-term survival of your practice and safety of your patient’s personal health information (PHI). With that being said, HIPAA contains many components that can fall off your organizations radar if you are not paying close attention. For example, the Act contains “required” and “addressable” security measures. Each of these mean different things. Let’s find out more.

HIPAA “Required” Security Measures

As you can probably guess, required rules are required. These are enforced security measures that mandate action be taken from within your organization in order to be HIPAA compliant. These need to be implemented in the way mandated by the HIPAA Security Rule or compliance to the rule as a whole is lost. Some examples of “required” security measures, as detailed by HIPAA Journal, include the following…

• Implement a means of access control: This not only means assigning a centrally-controlled unique username and PIN code for each user, but also establishing procedures to govern the release or disclosure of ePHI during an emergency.*
• Introduce activity logs and audit controls: The audit controls required under the technical safeguards are there to register attempted access to ePHI and record what is done with that data once it has been accessed.*

HIPAA “Addressable” Security Measures

While “addressable” security measures come with more flexibility than those that are required, that does not mean that these measures are optional. Security measures marked as addressable simply mean that an objective is prescribed by HIPAA to achieve, but the practice is able to make a call on how that objective is reached. Sometimes this means deciding if it needs reached at all. If your practice decides that a specific objective outlined by HIPAA isn’t necessary for your organization, you must clearly document the thought process behind why that decision was made. This will help protect your practice in case you are audited by HIPAA in the future and puts you in compliance with the Security Rule. Some examples of “addressable” security measures, as detailed by HIPAA Journal, include the following…

• Introduce a mechanism to authenticate ePHI: This mechanism is essential in order to comply with HIPAA regulations as it confirms whether ePHI has been altered or destroyed in an unauthorized manner.*
• Implement tools for encryption and decryption: This guideline relates to the devices used by authorized users, which must have the functionality to encrypt messages when they are sent beyond an internal firewalled server, and decrypt those messages when they are received.*
• Facilitate automatic log-off of PCs and devices: This function logs authorized personnel off of the device they are using to access or communicate ePHI after a pre-defined period of time. This prevents unauthorized access of ePHI should the device be left unattended.*

When an entity is dealing with an “addressable” security measure, they have three options in how they can proceed. These include: implement the specification for the requirement, implement an alternative that achieves that same objective, or implement nothing.

A great thing to remember if you are worried about being in compliance is that you can always go above and beyond when it comes to HIPAA. When in doubt, implement a solution that satisfies the Security Rule.

*These “required” and “addressable” security measures’ implementation specifications and further information segments have been directly taken from HIPAA Journal.

Are you looking for a HIPAA tool to help you succeed and a PM and EMR system to do it with? Look no further. Call us today to learn more about Medical Guardian and MicroMD solutions. Visit us at micromd.com or call us at 800-624-8832.