In the final Security Standards Rule published in the Federal Register on February 20, 2003, what is the difference between addressable and required specifications?

Answer:

If an implementation specification is described as "required", the specification must be implemented. The concept of "addressable implementation specifications" was developed to provide covered entities additional flexibility with respect to compliance with the security standards.

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement or the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative.

The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented.


Home | About Us | Contact Us | Sitemap | Resources | Covered Entity | Business Associate
Individuals | Product Certification | HIPAA Compliance FAQ | HIPAA Compliance Software | HIPAA Security Policies | HIPAA Privacy Policies
HIPAA Business Continuity Plan | HIPAA Security Risk Analysis Template | HIPAA Audit Templates
Copyright © 2007-09 Supremus Group LLC Developed and Designed by Des Moines Web Design Company
This site is best viewed using Internet Explorer 5.0/higher or Netscape Navigator 7.0/higher at 1024x768 resolution for optimum performance