“Addressable” Was Never Optional. The Industry Has Misunderstood This for Years.
A persistent misreading of HIPAA’s Security Rule has left organizations exposed in ways they didn’t realize.
Few terms in HIPAA’s Security Rule have been as consistently misunderstood as “addressable.” Many organizations have treated addressable implementation specifications as optional, a safeguard to implement if convenient, skip if not. That interpretation has never been correct, and the gap between common practice and actual legal obligation has become a recurring source of enforcement exposure.
What “addressable” actually requires
Under the current framework, every implementation specification is either “required” or “addressable.” Required specifications must be implemented exactly as written, with no discretion. Addressable specifications require something more nuanced: a documented assessment of whether the safeguard is reasonable and appropriate given the organization’s size, complexity, and risk profile. If it is reasonable and appropriate, it must be implemented. If not, the organization must adopt an equivalent alternative measure, or document a defensible reason why neither the original safeguard nor an alternative applies.
In every case, the underlying standard still has to be met. “Addressable” was always a statement about how flexibly a standard could be satisfied, never about whether it needed to be.
Where this misunderstanding creates real exposure
The practical consequence shows up during enforcement actions and breach investigations. An organization that skipped an addressable safeguard without documenting a reasonable justification or alternative measure has not satisfied its obligation, regardless of whether it believed the safeguard was optional. Regulators have shown limited sympathy for good-faith misunderstanding of a framework that has been in place for years.
This is compounded by regulatory movement toward narrowing or eliminating the addressable category altogether in proposed rule updates, a shift partly motivated by exactly this pattern of misapplication across the industry.
Correcting course
- Audit every addressable specification your organization has not implemented, and confirm a documented justification or alternative measure exists for each.
- Treat undocumented gaps as immediate priorities, not lower-tier risks, given current enforcement posture.
- Build documentation as you go, rather than reconstructing justifications retroactively during an investigation, timing and contemporaneousness matter to regulators.
The flexibility built into HIPAA’s Security Rule was never a loophole. Organizations that have treated it as one are now facing a regulatory environment with far less patience for the distinction.