DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
What are Required Implementation Specifications and What are Addressable Implementation Specifications?
The Security Rule contains a series of standards, such as the facility access controls standard and the device and media controls standard. Many standards contain "implementation specifications," which are measures for how to implement the standard (note that some standards, like the audit controls standard, do not contain implementation specifications. Compliance with such standards is required). When a standard contains implementation specifications, the language "implementation specifications" appears in the text of the standard.
Implementation specifications are required or addressable.
If an implementation specification is required, the word “Required” appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word “Addressable” appears in parentheses after the title of the implementation specification.
What is the General Rule for Required Standards?
When a specific standard includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.
What is the General Rule for Addressable Standards?
When a specific standard includes addressable implementation standards, a covered entity or business associate must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information.
Then, after the assessment, the covered entity or business associate must implement the implementation specification if it is reasonable and appropriate to do so. If the covered entity or business associate has determined that implementing the implementation specification is not reasonable and appropriate, the covered entity or business associate must meet several requirements. First, the covered entity or business associate must document why it would not be reasonable and appropriate to implement the implementation specification. Then, the covered entity or business associate must implement an equivalent alternative measure if it reasonable and appropriate to do so.
Was this article helpful?
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article