Does my organization have to follow industry best practices that relate to information security?
A – Security and Privacy Rule requirements established by HIPAA fall into one of two categories: Addressable or Required. If a HIPAA specification is “required” then covered entities must implement the controls identified in the Security Rule. “Addressable” specifications must be assessed by the organization to determine its reasonableness and appropriateness’ of the safeguard in the respective environment, implement the specification, or document why it is not reasonable or appropriate. For addressable specifications, an entity may use industry best practices to make a risk acceptance judgment within the parameters of HIPAA to determine what is reasonable, appropriate, or applicable. Industry best practices are not requirements, but just as they state, the best practices given ones situation and environment. An organization may use the best practices as a guide or input to the decision making process. In contrast, organizations that do not use industry best practices and who become th
