HIPAA Security Tip #15: Required Vs. Addressable

By Iseman Cunningham Riester & Hyde LLP

HIPAA Security Standards and related implementation specifications are of two types: “required” and “addressable.” A handy chart of all the standards and their designation as required or addressable was published as “Appendix A” to the final Security Rule. (A link to the rule on CMS’s website appears at the end of this tip.)

Addressable does not mean “optional.” The Security Rule describes the process Covered Entities must go through when considering how to approach an addressable standard.

If an addressable standard or implementation specification is “reasonable and appropriate,” the Covered Entity must implement the standard. Whether a standard is reasonable and appropriate will depend on many factors including, among others:

  • The Covered Entity’s risk analysis;
  • The Covered Entity’s risk mitigation strategy;
  • Existing security measures; and
  • The cost of implementing the standard.

Cost alone will almost never be a determinative factor, but should be considered in light of the probability of a security incident and the severity of the damage from such an incident.

If the standard is unreasonable or inappropriate based on this analysis, the Covered Entity must consider whether an alternative measure exists that meets the same intent of the standard. If the alternative measure is reasonable and appropriate, the alternative measure must be implemented.

If no alternative measure exists, or if implementation of the alternative measure would likewise be unreasonable or inappropriate, the Covered Entity may avoid implementing the standard.

Each step of this process must be documented.

Appendix A to the final Security Rule, as mentioned above, is available at:
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf. Acrobat Reader is required to view this document. Scroll to Federal Register page 8380.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

Queen Anne fatal mobile home fire

Two Dead in MD Mobile Home Fire

A mother and son were found dead in the aftermath of a mobile home fire in Queen Anne’s County on Wednesday, according to the state…

Firefighter Who Rescued Teen from Ocean Heralds ‘Team Effort’ in Saving Life

Cannon Beach Rural Fire District firefighters rescued a boogie boarder who was pulled out to sea Monday.