The compliance officer documented the exception in 2021. Line item: Encryption at rest. Classification: “Addressable, Not Implemented.” Justification: legacy EHR servers do not support AES-256, and hardware replacement exceeds the current budget cycle. The risk assessment sat in a SharePoint folder for three years, untouched and unreviewed.
A breach exposed 42,000 patient records in 2024. OCR investigators pulled the risk assessment and found the encryption exception. The organization’s defense collapsed on a single word: “addressable” never meant “optional.” OCR had $16 million in Anthem settlement precedent proving the point [OCR Anthem Settlement 2018]. The addressable designation required a documented analysis, an equivalent alternative, or a risk acceptance decision reviewed annually. Writing “not implemented” with no alternative and no review satisfied none of those requirements.
The January 2025 NPRM eliminates this ambiguity permanently. All implementation specifications become mandatory with limited exceptions [HHS OCR NPRM 2025]. Organizations that built compliance programs around the “addressable means optional” interpretation face mandatory control implementations across encryption, audit logging, and access management.
The January 2025 HIPAA Security Rule NPRM eliminates the addressable/required distinction [HHS OCR NPRM 2025]. All implementation specifications become mandatory with limited exceptions. Organizations documenting “not reasonable and appropriate” instead of implementing controls face enforcement action under the updated framework.
What “Addressable” Actually Meant
The HIPAA Security Rule classifies every implementation specification as either “Required” or “Addressable” [164.306(d)]. Required specifications demand implementation without exception. Addressable specifications allow a structured decision process.
The Three-Option Framework
Section 164.306(d)(3) gives covered entities and business associates three options for each addressable specification. First: assess whether the specification is reasonable and appropriate for your environment. Second: implement the specification if reasonable and appropriate.
Third: if not reasonable, document the rationale and implement an equivalent alternative measure [164.306(d)(3)(ii)]. This third option requires two actions, not one. Documenting without implementing an alternative violates the rule.
The Complete List of Addressable Specifications
The Security Rule contains 22 addressable specifications across three safeguard categories. Administrative safeguards include authorization and supervision procedures, workforce clearance procedures, termination procedures, security reminders, malicious software protection, log-in monitoring, and password management [164.308]. Physical safeguards include contingency operations, facility security plan, access control and validation, and maintenance records [164.310]. Technical safeguards include automatic logoff, encryption and decryption at rest, audit controls documentation, integrity controls, and encryption in transit [164.312].
1. Pull your current risk assessment and identify every specification marked “Addressable: Not Implemented” or “N/A.” 2. Verify each non-implementation entry contains both a documented rationale and an equivalent alternative measure [164.306(d)(3)(ii)]. 3. If any entry lacks the equivalent alternative, the specification is non-compliant regardless of the documentation.
The “Optional” Misinterpretation
HHS confirmed in official guidance: “The ‘addressable’ designation does not mean an implementation specification is optional” [HHS Security Rule Guidance]. Organizations treated “addressable” as a compliance escape hatch for two decades. The pattern: mark the control addressable, write a one-sentence justification, skip implementation entirely.
How Organizations Weaponized the Exception
First misinterpretation: “addressable means we choose whether to implement.” Wrong. Addressable means the organization assesses feasibility, then either implements or deploys an equivalent alternative.
Second misinterpretation: “we documented why, so we are compliant.” Wrong without an equivalent alternative. Documentation alone satisfies zero percent of the requirement.
Third misinterpretation: “our risk is low, so the control is unnecessary.” Risk level does not exempt an organization from the addressable specification framework [164.306(d)(3)].
The Enforcement Evidence
OCR settlement data proves “addressable” never protected organizations from penalties. Anthem paid $16 million after OCR found failures in risk analysis and access controls [OCR Anthem Settlement 2018]. Premera Blue Cross paid $6.85 million for failing to implement risk management and audit controls [OCR Premera Settlement 2020].
Both organizations had documentation. Neither had adequate implementation. Non-compliance with addressable specifications also triggers breach notification obligations when the resulting security gaps lead to unauthorized disclosures.
1. Search your risk assessment for entries containing “N/A,” “Not Applicable,” or “Risk Accepted” on addressable specifications. 2. For each entry, verify an equivalent alternative control exists and operates effectively. 3. If the equivalent alternative is weaker than the addressable specification itself, upgrade the control before the next audit cycle.
The 2025 NPRM: Eliminating the Distinction
HHS published the first major HIPAA Security Rule update in 20 years on January 6, 2025 [HHS OCR NPRM 2025]. The proposed rule eliminates the addressable/required distinction entirely. Every implementation specification becomes mandatory.
Why HHS Made the Change
The NPRM preamble states HHS found organizations used the addressable designation to avoid investing in necessary security architecture [88 Fed. Reg. 5566]. The flexibility intended to accommodate small practices became a compliance shortcut for large health systems with resources to implement every control. HHS concluded the distinction undermined the Security Rule’s protective purpose.
What the New Framework Requires
Under the proposed rule, all specifications require implementation. The “assess and document” alternative disappears. Organizations must implement every specification listed in 164.308, 164.310, and 164.312 [HHS OCR NPRM 2025].
Limited exceptions exist for organizations meeting specific criteria. The burden of proof shifts from documenting non-implementation to demonstrating active compliance.
The proposed rule also introduces mandatory technology asset inventories, network mapping, and vulnerability scanning requirements not present in the current rule [HHS OCR NPRM 2025]. Organizations operating SaaS platforms handling ePHI face the steepest compliance lift under these new mandates.
1. Download the January 2025 NPRM from the Federal Register and review the sections eliminating the addressable designation. 2. Create a gap analysis comparing your current “Addressable: Not Implemented” entries against the proposed mandatory requirements. 3. Begin budgeting for full implementation of all previously addressable specifications before the Final Rule publication.
Which Three Controls Become Mandatory Hard Costs Under the New Rule?
Most addressable specifications require process changes, not capital expenditure. Three exceptions demand immediate budget allocation because they require technology purchases.
Encryption: At Rest and In Transit
Encryption at rest [164.312(a)(2)(iv)] and encryption in transit [164.312(e)(2)(ii)] were the most commonly deferred addressable specifications. The proposed rule makes both mandatory. AES-256 for data at rest and TLS 1.2 or higher for data in transit become baseline requirements [NIST SP 800-111].
Organizations running legacy servers incapable of AES-256 face hardware replacement costs. Budget $15,000 to $50,000 per server depending on the EHR platform and data migration requirements.
Multifactor Authentication
The current Security Rule references “person or entity authentication” [164.312(d)] without specifying MFA. The proposed rule mandates MFA for all access to ePHI systems [HHS OCR NPRM 2025]. Password-only authentication becomes a violation.
Budget $5 to $10 per user per month for enterprise MFA solutions. Organizations with 500 users should allocate $30,000 to $60,000 annually for MFA licensing, deployment, and support.
Centralized Audit Logging
Audit controls [164.312(b)] were required under the current rule, but the standard for what constitutes adequate logging was ambiguous. The proposed rule specifies centralized log collection with automated monitoring and a minimum 6-year retention period for audit logs [HHS OCR NPRM 2025].
SIEM (Security Information and Event Management) solutions meeting these requirements cost $10,000 to $50,000 annually depending on log volume and organizational size. The following table shows how each control’s classification shifts under the proposed rule.
| Control | Current Status | Proposed Status |
|---|---|---|
| Encryption (at rest) [164.312(a)(2)(iv)] | Addressable | Mandatory |
| Encryption (in transit) [164.312(e)(2)(ii)] | Addressable | Mandatory |
| Automatic logoff [164.312(a)(2)(iii)] | Addressable | Mandatory |
| MFA [proposed] | Not specified | Mandatory |
| Audit logging [164.312(b)] | Required (ambiguous scope) | Mandatory (centralized, 6-year retention) |
| Risk analysis [164.308(a)(1)(ii)(A)] | Required (often deferred) | Mandatory (annual, documented) |
1. Request vendor confirmation whether your EHR platform supports AES-256 encryption at rest and TLS 1.2+ in transit. If legacy systems lack support, begin procurement for replacement hardware. 2. Deploy MFA across all ePHI-access accounts. Start with privileged accounts (administrators, clinicians with full chart access) and expand to all users within 90 days. 3. Evaluate SIEM solutions capable of 6-year log retention. Confirm storage cost projections for your log volume before signing contracts.
How to Prepare Before the Final Rule
The Final Rule publication is expected in late 2025 or 2026, with enforcement beginning 12 to 24 months after publication. Organizations waiting for the Final Rule to start budgeting face compressed implementation timelines.
Kill Your Exceptions File
Pull every risk assessment entry where a control was marked “N/A” or “Addressable: Not Implemented.” Each entry represents a gap requiring closure before the Final Rule takes effect. Prioritize encryption, MFA, and audit logging: these carry the highest implementation costs and the longest deployment timelines.
Map Internal Data Flows
The proposed rule requires technology asset inventories documenting every system creating, receiving, maintaining, or transmitting ePHI [HHS OCR NPRM 2025]. Map internal email flows, messaging platforms, file-sharing tools, and clinical communication systems. Internal Slack messages and unencrypted email attachments containing PHI violate the proposed encryption mandates.
Budget for 2026
Allocate a 15% to 20% increase in IT security spend for the 2026 fiscal year. The three mandatory controls (encryption, MFA, centralized logging) drive the cost increase. Organizations deferring these investments face OCR penalties averaging $1.2 million per settlement and corrective action plans lasting two to three years.
1. Conduct a technology asset inventory of every system touching ePHI: EHR platforms, email servers, messaging tools, cloud storage, medical devices, and mobile applications. 2. Classify each asset by encryption status (encrypted at rest, encrypted in transit, or unencrypted). 3. Present the gap analysis and budget requirements to executive leadership before the next fiscal planning cycle. Frame the investment against OCR settlement averages ($1.2M) and corrective action plan costs.
The “addressable” loophole is closed. Organizations documenting exceptions instead of implementing controls operated on borrowed time for two decades. Start with encryption, MFA, and centralized logging: these three controls represent the largest capital expenditure and the longest deployment timelines in the proposed rule.
Frequently Asked Questions
Does “addressable” mean optional in HIPAA?
The addressable designation has never meant optional under the HIPAA Security Rule and requires a three-step process: assess feasibility, implement if reasonable, or document the rationale and implement an equivalent alternative [164.306(d)(3)]. Skipping implementation without an equivalent alternative violates the Security Rule.
Is HIPAA encryption mandatory in 2026?
The January 2025 NPRM proposes making encryption mandatory by eliminating the addressable designation [HHS OCR NPRM 2025]. Under the proposed rule, AES-256 encryption at rest and TLS 1.2+ in transit become required for all ePHI.
When does the new HIPAA Security Rule take effect?
HHS expects to publish the Final Rule in late 2025 or 2026, with enforcement beginning 12 to 24 months after publication. Enforcement will begin 12 to 24 months after publication. Organizations should begin compliance efforts now to avoid compressed implementation timelines.
What is the difference between addressable and required specifications?
Required specifications demand implementation without exception. Addressable specifications allow organizations to assess feasibility and implement an equivalent alternative if the specification is not reasonable for their environment [164.306(d)]. The 2025 NPRM proposes eliminating this distinction.
What happens if I marked a control “N/A” on my risk assessment?
Marking a control “N/A” without documenting an equivalent alternative measure is non-compliant under the current HIPAA Security Rule and becomes indefensible under the proposed rule. Under the proposed rule, the “N/A” option disappears entirely. Review every “N/A” entry and implement the control or an equivalent alternative immediately.
How much does HIPAA encryption compliance cost?
HIPAA encryption implementation costs range from $15,000 to $50,000 per legacy server for AES-256 upgrades, and vary further by infrastructure complexity. Budget $15,000 to $50,000 per legacy server for AES-256 upgrades, plus ongoing key management costs. Cloud-native platforms (AWS, Azure, Google Cloud) include encryption at rest by default at no additional charge.
Does MFA become required under the proposed rule?
The proposed rule mandates multifactor authentication for all access to systems containing ePHI [HHS OCR NPRM 2025]. Budget $5 to $10 per user per month for enterprise MFA licensing.
What enforcement precedent exists for addressable specification failures?
Anthem paid $16 million for risk analysis and access control failures [OCR Anthem Settlement 2018]. Premera Blue Cross paid $6.85 million for risk management and audit control deficiencies [OCR Premera Settlement 2020]. Both cases involved addressable specifications the organizations failed to implement adequately.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
