Under the Department of Health and Human Services (“DHHS”) regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a covered entity must implement all applicable security standards. Most standards have implementation specifications, which provide guidance as to how to meet the standard. Such specifications are either required (the covered entity must do them) or addressable (the covered entity must address them—that is, figure out whether they need to do them). When an addressable implementation applies, the covered entity must determine whether the addressable implementation specification is reasonable and appropriate in its environment (in the covered entity’s situation) with respect to its likely contribution to actually protecting the PHI. If it is reasonable and appropriate, then it becomes required. If not, the covered entity has two other choices: it may implement an equivalent alternate measure or do nothing because it is not reasonable and appropriate to do anything. The covered entity must, however, as demonstrated by the recent Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”), $1.5 million settlement and a corrective action plan, document why it did or didn’t do the action specified in the addressable implementation specification.
In giving my seminars to hundreds of covered entities coast to coast, I find that the vast majority of covered entities are failing to document why they do not implement an addressable implementation specification, if, indeed, they even address it in the first place. So I have developed a template to help them do so and have posted it in the Premium Member section of the Veterans Press website. My template isn’t just the raw template, however. It is filled in with three examples to get you started. Adapt the samples and add to the matrix as appropriate for your organization. Make sure that you keep it as documentation in writing of your organization’s decisions for the required six-year records retention period under HIPAA.
Under the Department of Health and Human Services (“DHHS”) regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), a covered entity must implement all applicable security standards. Most standards have implementation specifications, which provide guidance as to how to meet the standard. Such specifications are either required (the covered entity must do them) or addressable (the covered entity must address them—that is, figure out whether they need to do them). When an addressable implementation applies, the covered entity must determine whether the addressable implementation specification is reasonable and appropriate in its environment (in the covered entity’s situation) with respect to its likely contribution to actually protecting the PHI. If it is reasonable and appropriate, then it becomes required. If not, the covered entity has two other choices: it may implement an equivalent alternate measure or do nothing because it is not reasonable and appropriate to do anything. The covered entity must, however, as demonstrated by the recent Massachusetts Eye and Ear Infirmary (“MEEI”) and Massachusetts Eye and Ear Associates, Inc. (“MEEA”), $1.5 million settlement and a corrective action plan, document why it did or didn’t do the action specified in the addressable implementation specification.
In giving my seminars to hundreds of covered entities coast to coast, I find that the vast majority of covered entities are failing to document why they do not implement an addressable implementation specification, if, indeed, they even address it in the first place. So I have developed a template to help them do so and have posted it in the Premium Member section of the Veterans Press website. My template isn’t just the raw template, however. It is filled in with three examples to get you started. Adapt the samples and add to the matrix as appropriate for your organization. Make sure that you keep it as documentation in writing of your organization’s decisions for the required six-year records retention period under HIPAA.
