The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.
Implementation Specifications: Required or Addressable
The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. Each one of these sections has multiple “standards” that must be followed by the covered entity. Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”.
A “required” implementation specification must be implemented by the covered entity.
An “addressable” implementation specification is more flexible, but it is not optional. A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:
Covered entities must document the assessment and decision made regarding each specification.
If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:
45 CFR §164.306
U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities
NIST SP 800-66