The HIPAA security regulations are comprised of standards and implementation specifications. Each standard is required; that is, each covered entity must comply with all standards. Implementation specifications may be either required or addressable. Addressable implementation specifications are not required but must be addressed. Note that the security requirements only pertain to electronic protected health information maintained by a covered entity, although throughout the self-assessment and compliance worksheets, the recommended scope of compliance may be broader than electronic protected health information. You will need to determine the scope of your program to include all electronic resources or just electronic protected health information.
The meaning of the various terms used in the security regulations are as follows:
Standards. A covered entity must comply with the standards with respect to all electronic protected health information.
Implementation specifications are either required or addressable.
- Required Implementation Specifications. If an implementation specification is required, a covered entity must implement the implementation specification.
- Addressable Implementation Specifications. If an implementation
specification is addressable, a covered entity must:
- Assess whether the implementation specification is a reasonable and appropriate safeguard in the environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information; and
- As applicable to the entity:
- Implement the implementation specification if reasonable and appropriate; or
- If implementing the implementation specification is not reasonable and appropriate:
- Document why it would not be reasonable and appropriate to implement the implementation specification; and
- Implement an equivalent alternative measure if reasonable and appropriate.
Note that we have referred to the addressable specifications in this guide as “Additional Considerations.”