• E-mail
• Print
• RSS

Security rule's addressable specifications require more documentation

HIPAA Weekly Advisor, June 6, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Your organization could be doing everything right and be complying with all aspects of the HIPAA security rule. But without proper documentation to support that compliance, you're creating a tremendous risk.

You must document how your organization is complying with all the implementation specifications, explains Jeff Jinnett, JD, CISSP, a partner at the law firm of Epstein Becker & Green, PC, in Boston. Jinnett is also on the American Accreditation Healthcare Commission's (also known as URAC) advisory committee for its HIPAA Security Accreditation program and helped develop the standards (see "URAC approves security accreditation standards" in the May 19 edition of HIPAA Weekly Advisor).

Organizations that choose not to implement an addressable specification are required to provide even more documentation, but the security rule doesn't give a lot of detail about this documentation, says Jinnett. "In some instances, an organization may decide that it is not reasonable or appropriate to implement an addressable implementation specification," he says. "The organization would then need to document its rationale for not adopting the specification, and this rationale should be based on the organization's security risk assessment, among other relevant factors. It would also need to document any alternative security measures it has implemented in order to satisfy the security standard to which the addressable implementation specification relates," he adds.

Your risk analysis will help you decide how you're going to attack the addressable specifications, says Jinnett. Use the analysis to identify where you might have problems and whether certain safeguards are reasonable in relation to the risk. A potential safeguard may be too expensive in comparison to the risk, he explains. "And it is also inappropriate to throw a dollar against a million-dollar risk."

But don't think that lack of money alone is a good enough reason for avoiding a specification, says Jinnett. "Cost is a factor that can be taken into account, but it can't be the definitive factor."

It should be noted that the security rule represents a "floor" with respect to security practices, rather than embodying industry best practices, he says. "To the extent that an organization's security policies, procedures, and measures match industry best practices, the organization may wish to note this in the documentation-especially in those instances where the measures in place do not match the addressable specifications, but are believed by the organization to represent a reasonable and appropriate alternative."

Editor's note: Adapted from the upcoming June 2003 issue of Healthcare Information Security. Go to http://www.hipaapro.com/news/hipaa_downloads.cfm to download Jeff Jinnett's annotated template for documenting an entire HIPAA compliance program.