standards and implementation specifications (HIPAA)

HIPAA's Security Rule is divided into administrative, physical and technical safeguard requirements -- now called "standards," in keeping with the language used in the HIPAA statute and the other rules.

The three safeguard categories are further divided into "implementation specifications" that delineate how each of the standards is to be implemented. In some cases, the standard itself contains enough information to describe implementation requirements, so there is no separate specification. (Note that in an earlier version of the Rule, standards were called "requirements," and implementation specifications were called "implementation features.")

The Security Rule has both "required" and "addressable" provisions for its administrative, physical and technical safeguards. Required means just what you think -- it must be done. Addressable specifications can be met by implementing:

  • one or more of the "addressable" specifications;
  • one or more alternative security measures;
  • a combination of both of these; or
  • none of the above.

Each covered entity must decide what approach is "reasonable and appropriate" given its risk analysis, its mitigation strategy for those risks, security measures already in place, and the costs of alternatives.

HIPAA contains a specific statutory mandate to consider the needs of small and rural providers. DHHS has commented that it believes the "scalability" of the security provisions meets this requirement -- namely, that "the risk assessment and [the] response to the assessment be based on the needs and capabilities of the entity." (Final Rule, p.41)

The decision rule is easy to list, even if what is "reasonable and appropriate" may still be far from self-evident in many situations. If an addressable provision is determined to be:

  • reasonable and appropriate given the circumstances of the covered entity, it must be implemented;
  • unreasonable or inappropriate, but the standard cannot be met without it, then an alternative measure must be put in place;
  • unreasonable or inappropriate, or simply not applicable to the situation, and the standard can be met without even an alternative, then nothing need be done.

In all cases the covered entity must document what it has (or has not) done to meet the standards in its policies and procedures. The rationale for the selection of an alternative, or to not implement anything at all, must be documented with particular thoroughness, including how the standard is being met via non-standard means.

DHHS has indicated that it plans to issue guidance documents, similar to those for the Privacy Rule, to help covered entities interpret and apply the standards and specifications of the Security Rule.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine