An implementation specification that must be implemented by all covered entities and business associates without exception or alternative.
Under the HIPAA Security Rule, implementation specifications are categorized as either "required" or "addressable." A required specification is mandatory: every covered entity and business associate must implement it exactly as described, regardless of the organization's size, complexity, or resources. There is no option to implement an alternative measure or document why implementation is not reasonable. Required specifications represent the baseline security requirements that HHS has determined are essential for protecting electronic protected health information in all healthcare environments.
Several critical security measures are classified as required specifications. These include conducting a risk analysis to identify potential risks to ePHI, implementing a risk management program to reduce identified risks, applying sanctions against workforce members who violate security policies, implementing procedures to review information system activity (audit logs, access reports, security incident tracking), designating a Security Official responsible for Security Rule compliance, implementing procedures for authorizing and supervising workforce members who work with ePHI, establishing contingency planning elements including data backup, disaster recovery, and emergency mode operation plans, and implementing person or entity authentication mechanisms.
Failure to implement a required specification constitutes a direct violation of the HIPAA Security Rule and can result in civil monetary penalties, corrective action plans, and other enforcement actions by OCR. Unlike addressable specifications, where an organization can demonstrate that an alternative measure provides equivalent protection, required specifications offer no such flexibility. Organizations must implement every required specification and must be able to demonstrate compliance through documentation. The risk analysis, in particular, is one of the most frequently cited violations in OCR enforcement actions, highlighting the critical importance of fully implementing all required specifications.