HIPAA: How to bend the security rule ‘reasonably’ and ‘appropriately’

Hipaa rulesHIPAA is not a set of hard and fast rules. Some of the rules are flexible, giving you leeway on whether to address them and how.

For example, the security rule (the most important part of HIPAA for IT providers) labels each guideline in one of two ways:

  1. Required – There is no getting around it. These guidelines must be followed.

For example, the guideline “isolate healthcare clearinghouse functions” is required.

  1. Addressable – These guidelines give you flexibility on whether to implement them, implement alternatives, or implement nothing.

For example, “password management” – which refers to procedures for creating, changing, and safeguarding passwords – is an addressable guideline.

But “addressable” does not mean “optional.” It’s best to think of these guidelines as required unless they are not “reasonable and appropriate” for the environment.

This begs the question… what is reasonable?


What is reasonable and appropriate?

If an “addressable” guideline seems reasonable and appropriate for the organization to implement, then you have to follow it.

In HIPAA, a variety of factors determine whether a guideline is considered “reasonable and appropriate.”

Factors include:

  • Size, complexity, and capability of the healthcare organization
  • Security capabilities of the healthcare organization (infrastructure, hardware, software)
  • Costs associated
  • Risks and benefits to the protection of ePHI

Other factors are the organization’s risk analysis, risk mitigation strategy, and the security measures that are already in place.


Security Rule: Be reasonable!

If you determine an “addressable” guideline is not reasonable for the environment, then the question becomes: is there a reasonable alternative? If yes, then the alternative must be implemented.

For example, let’s say an addressable guideline required two-factor authentication (this isn’t a HIPAA guideline, but it’s common in other frameworks). This might be too difficult and expensive for a small doctor’s office to follow and deemed “unreasonable.”

However, a small doctor’s office can still take steps to improve password security. For example, one alternative is to require all employees to use passwords of at least 15 characters with a mix of numeric, uppercase, and lowercase letters.

It’s perfectly reasonable for a small healthcare office to implement this alternative, and it seems an appropriate way to improve password security.

Document your reasons

Whether you choose a reasonable alternative or decide not to follow the guideline at all, you have to document your reasoning. The regulations say very clearly:

“The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.”

So the “addressable” guidelines give you some wiggle room, but don’t wiggle your way out of compliance. Remember: the goal is to protect ePHI, and that should be your motivation throughout the process.

Related resources


Healthcare IT Security: Compliance nightmare on horizon

HIPAA for IT Service Providers: Top 5 questions

HIPAA for IT Providers: The most important rules to know

HIPAA Hazards: Avoid the business associate trap

How AccessEnforcer  Fits with HIPAA

Written by Calyptix

 - November 17, 2014

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram