HIPAA is not a set of hard and fast rules. Some of the rules are flexible, giving you leeway on whether to address them and how.
For example, the security rule (the most important part of HIPAA for IT providers) labels each guideline in one of two ways:
For example, the guideline “isolate healthcare clearinghouse functions” is required.
For example, “password management” – which refers to procedures for creating, changing, and safeguarding passwords – is an addressable guideline.
But “addressable” does not mean “optional.” It’s best to think of these guidelines as required unless they are not “reasonable and appropriate” for the environment.
This begs the question… what is reasonable?
If an “addressable” guideline seems reasonable and appropriate for the organization to implement, then you have to follow it.
In HIPAA, a variety of factors determine whether a guideline is considered “reasonable and appropriate.”
Other factors are the organization’s risk analysis, risk mitigation strategy, and the security measures that are already in place.
If you determine an “addressable” guideline is not reasonable for the environment, then the question becomes: is there a reasonable alternative? If yes, then the alternative must be implemented.
For example, let’s say an addressable guideline required two-factor authentication (this isn’t a HIPAA guideline, but it’s common in other frameworks). This might be too difficult and expensive for a small doctor’s office to follow and deemed “unreasonable.”
However, a small doctor’s office can still take steps to improve password security. For example, one alternative is to require all employees to use passwords of at least 15 characters with a mix of numeric, uppercase, and lowercase letters.
It’s perfectly reasonable for a small healthcare office to implement this alternative, and it seems an appropriate way to improve password security.
Whether you choose a reasonable alternative or decide not to follow the guideline at all, you have to document your reasoning. The regulations say very clearly:
“The decisions that a covered entity makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.”
So the “addressable” guidelines give you some wiggle room, but don’t wiggle your way out of compliance. Remember: the goal is to protect ePHI, and that should be your motivation throughout the process.