A HIPAA Question:

A HIPAA Question: "Addressable" vs. "Required" Implementation Standards

We are finding that many of our subscribers including both covered entities and business associates have questions regarding the difference between "Required" and "Addressable" HIPAA Security Final Rule Standards. The Final Rule includes Standards (what must be done) and Implementation Specifications (how it must be done).

The implementation specifications are either Required (R) or Addressable (A). The specifications listed as Required you must do. Addressable does not mean "not required" nor does it mean "optional". It means you must address the specification in some way or address the standard itself in some way. All of these actions and determinations must be documented.**

** (You document your implementation of these standards by customizing the slides in your training with your chosen policies and procedures).

  • Required — You must implement the specification as stated. For example, all covered entities including small providers must conduct a "Risk Analysis" in accordance with Section 164.308(a)(1) of the Security Rule. (We offer a Security Risk Analysis for you on our website).


  • Addressable — You may:
    • implement the specification as stated,
    • implement an alternative measure that also brings you into compliance with the standard, or
    • not implement the addressable specification or any alternative measures, if doing so is unreasonable and inappropriate for your particular situation. However, where a covered entity chooses this option, the reasoning supporting the decision must be documented. The written documentation should include the factors considered by the covered entity, as well as the results of any risk assessment on which the decision was based.

In conclusion, these standards just make good business sense and will benefit your practice once implemented. After all, the Security Rule was created to help covered entities and business associates of all sizes prevent unauthorized use of sensitive health information.

The information for this Tip of the Week was taken from your HIPAA Resource Guides. Further information on Required and Addressable specifications can also be found at the following website: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html