Overview:
(1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification.
(2) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.
(3) When a standard adopted in § 164.308, § 164.310, § 164.312, § 164.314, or § 164.316 includes addressable implementation specifications, a covered entity must do the following:
(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entities electronic protected health information; and
(ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate
(1) Document why it would not be reasonable and appropriate to implement the implementation specification
(2) Implement an equivalent alternative measure if reasonable and appropriate.
Action Items:
1) Obtain and review implementation specification documentation. Verify the words "Required" and "Addresseable" appear when appropriate.
2) Select a sample of system devices and verify the documented specifications are properly implemented.
3) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entities electronic protected health information.
4) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate, either document why it would not be reasonable and appropriate to implement the implementation specification or implement an equivalent alternative measure if reasonable and appropriate.
Related Documents:
1) Configuration & Change Management Policy
2) Documentation that outlines detailed implementation specifications, as applicable to the covered entity.
Additional Guidance:
An “implementation specification” is an additional detailed instruction for implementing a particular standard. Each set of safeguards is comprised of a number of standards, which, in turn, are generally comprised of a number of implementation specifications that are either required or addressable. If an implementation specification is required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. If an implementation specification is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity’s environment. This involves analyzing the specification in reference to the likelihood of protecting the entity’s EPHI from reasonably anticipated threats and hazards. If the covered entity chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure. See C.F.R. § 164.306(d)(ii)(B)(2) for more information.
Article ID: 431
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-implementation-specifications-164-306-d-431.html