Find out what technical safeguards you need in order to implement a HIPAA Compliance Plan in your office using our easy-breakdown, specifications table.
At this point in our HIPAA compliance journey, we are looking at Technical Safeguards to determine what is required and what is addressable. Before diving into the next table of implementation specifications, let’s recap what the difference is between required and addressable specifications. A required implementation specification is just like you’d guess: required, meaning you absolutely must implement that specification; there is no getting around it. And, an addressable implementation specification is optional in a sense; it comes with other requirements.
For addressable implementation specifications, you have to determine what is feasible for your office and how to implement each specification if you can. Many of the addressable specifications will come down to your budgetary constraints. Others deal with issues pertaining to certain types of knowledge or skillsets, such as Information Technology, that your team may be lacking. In each of these addressable situations, your organization must document how you are addressing the specifications: accepting the risk for now, working to find a different way to meet the standard, etc. The Office for Civil Rights (OCR) will want to see that documentation if you are audited.
Please note, while many of the specifications are labeled addressable, that does not mean that you can just say that you’ve determined not to mess with that requirement. Take automatic logoffs for example, you would need to document a very good reason for why you can’t have this standard in place to show and explain to an auditor if they found that you decided to not implement it. In most situations, this is a very doable standard, so it should be treated as required. Really, all specifications should be treated as required, and then if you really can’t find an affordable or practical way to meet the specification at your organization, and it’s labeled as addressable, then you can outline why it doesn’t work for you.
Alright, let’s dive into the required vs. addressable Technical Safeguards:
For our next posts, we will be moving from the required vs. addressable safeguards to the required vs. addressable Organization and Document requirements. If you missed the Administrative or Physical safeguards tables, click here to check out our prior posts.
Ready to start meeting these HIPAA standards? Sign up with HIPAAgps today to get started on your risk assessment and HIPAA Compliance Plan! We provide tools to help you and other health care organizations meet the many required and addressable HIPAA standards seen in these tables.
Recent Comments