Upcoming Webinars

  • No upcoming events


The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Log in

Implementation Specifications: Required or Addressable 

The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements.  Each one of these sections has multiple “standards” that must be followed by the covered entity.  Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”. 

A “required” implementation specification must be implemented by the covered entity.

An “addressable” implementation specification is more flexible, but it is not optional.  A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

    • Implement the addressable implementation specification;
    • Implement an equivalent alternative measure that allows the entity to comply with the standard; or
    • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities must document the assessment and decision made regarding each specification.

If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

    • The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
    • The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
    • The entity’s financial analysis - How much will implementation cost?


45 CFR ยง164.306

U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

NIST SP 800-66

Copyright Med Comply LLC 2022

Med Comply does not claim copyright over US Federal and State materials

CPT codes are copyright 1995-2022 American Medical Association. All rights reserved.

About Us

Join Us

Find Us

Med Comply is a healthcare compliance firm that strives to bring high quality compliance guidance and one-on-one consulting services to small and medium sized physician and NPP practices.   

Learn More

Join today as either a monthly or a yearly member and enjoy full access to the site and ongoing personalized compliance and billing support. 

Join Today

Powered by Wild Apricot Membership Software