While the Health Insurance Portability and Accountability Act (HIPAA) was signed into effect on 1996, it wasn't until 2003 when the Department of Health and Human Services (HHS) issued the Security Rule. The Security Rule is intended to compliment the Privacy Rule, focusing specifically on Electronic Protected Health Information (ePHI). This was needed because many doctors and covered entities were transitioning from paper files to electronic media; thus, creating a need for new security standards to protect electronic patient information.
When the HHS created the Security Rule, however, it made it “technology neutral.” This means, contrary to popular belief, that covered entities are not required to use any specific technology when implementing the safeguards set forth in the Security Rule. Some covered entities assume that all ePHI must be encrypted in order to comply with the Security Rule. However, the HHS explains on its website that this is not necessary. Rather, the Security Rule is technology neutral, meaning covered entities are not required to implement any specific technology.
So, why did the HHS make the HIPAA Security Rule technology neutral and for what purposes does this serve? This is an all-too-common question asked by covered entities and business associates alike. The HHS answers this question on its website, explaining that any specific technology requirements would “bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.”
In other words, the HHS decided not to include specific technology standards in the HIPAA Security Rule because of the fast-growing, ever-developing nature of technology itself. Back when HIPAA first took effect (1996), for instance, cloud computing was virtually unheard of – at least for doctors and medical practitioners. Today, however, it's used by thousands of covered entities, both big and small, as part of their day-to-day operations. If the Security Rule required covered entities to implement specific technologies when using cloud computing services, it could restrict their ability to grow as cloud computing evolved.
Hopefully, this gives you a better understanding of why the HIPAA Security Rule is technology neutral. In short, the HHS made the rule technology neutral so that covered entities can grow and use the most current technologies available. If specific technologies were required as part of the HIPAA Security Rule, it could place a significant burden on covered entities as they try to keep up with the latest technologies.