HIPAA Security Implementation, Version 1.0

2.4 GUIDING PRINCIPALS FOR SECURITY RULE

The Security rule should be seen as an on going organizational process to protect health care information in electronic form through administrative safeguards, physical safeguards, and technical safeguards. The objectives of this process are to continually assess your organization's risk and develop risk management strategies to:

• Ensure the confidentiality, integrity, and availability of all ePHI

• Protect against any reasonable threats or hazards to the security or integrity of such information

• Protect against any reasonably anticipated uses or disclosures not permitted

• Ensure workforce compliance

Because covered entities vary in size and function within the health care industry, the regulation is technology neutral, flexible, and allows for reasonable and appropriate implementation strategies. The standards to secure electronic transactions of health care information were selected because they were:

• Cost effective

• Consistency and compatibility across covered entities

• Predictable

• Unambiguous

• Keep data collection and paperwork burdens as low as possible on users

Covered entities can use any security measures that allow them to reasonably and appropriately implement the standards and specifications. This follows HIPAA's intent for being technology neutral and flexible. Covered entities select the security measures necessary to meet the standard based on the covered entities:

• Size

• Complexity

• Capabilities

• Technological Infrastructure

• Cost

• Probability and criticality of potential risks