Recently, a HIPAA consultant answered a question about whether one had to implement an addressable implementation specification. His answer was basically “no.” He must have recently watched the old Jackie Gleason Honeymooners episode in which Ralph Kramden and his sidekick, Ed Norton (played by Art Carney), were practicing golf. Ralph told Ed to “address” the ball, apparently meaning to take up a position lining up on the ball and take a few practice swings. Ed, who is none too bright, leans over and says, “Hello, Ball.”

Although you may not have to implement an addressable implementation specification, you well may have to or at least implement an equivalent alternate measure. Section 164.306(d)(3) of the Security Rule specifies that, for addressable implementation specifications, covered entities must assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic protected health information (“EPHI”), and—

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification is not reasonable and appropriate—

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

The Department of Health and Human Services (“DHHS”) recently settled a HIPAA violation with Massachusetts Eye and Ear Infirmary for $1.5 million for not documenting why it hadn’t implemented an addressable implementation specification—that is, encryption of a laptop that it had lost. Perhaps, encryption was not reasonable and appropriate because all the laptop had on its hard drive was wave files of hearing ranges with a secure patient identifier that would be meaningless to anyone but an audiologist. But it hadn’t documented that risk analysis or documented why an equivalent security measure was not reasonable and appropriate. Nor did it document why not doing anything was not reasonable and appropriate.

Further, as another example, DHHS settled a HIPAA violation with the Alaska Department of Health and Social Services (“DHSS”), the state agency in charge of Alaska Medicaid, for $1.7 million. According to the DHHS press release issued at the time of the settlement, “The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed (emphasis added) device and media encryption as required by the HIPAA Security Rule.”

No, “addressable” in this context does mean that you simply say hello to the addressable implementation specification and then forget about it. You may have to implement it if reasonable and appropriate or implement an equivalent alternate measure or, at an absolute minimum, document why you didn’t do anything. In any event, you must conduct and document a thorough risk analysis regarding the addressable implementation specification. And keep that written (may be electronic) documentation for six (6) years as required under HIPAA.

For detailed instructions on how to conduct a risk analysis, see my book The Compliance Guide to HIPAA and the DHHS Regulations (6^th edition forthcoming 2014) and the accompanying HIPAA Documents Resource Center CD (6^th edition) or my Risk Analysis ToolKit. If you need help implementing policies and procedures that you need as a result of your risk analysis, see my book The Complete HIPAA Policies and Procedures Guide with accompanying HIPAA Compliance Sample Policies and Procedures CD. If you need a place to keep all of that documentation, use my three-ring binder book Your Happy HIPAA Book. If you need to provide HIPAA training to your workforce, use my Basic HIPAA Training Video DVD and Workbook or the online version. If you have experienced a HIPAA security incident or a full-blown breach, see my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

Also, consider attending our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary, anchored in Long Beach, California, October 16-17, 2014.