The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is designed to protect the privacy of healthcare patients and health insurance customers. It consists of three “Rules” – Administrative, Privacy and Security – each of which has its own caveats. While all three Rules are critical in ensuring compliance with the law, the Security Rule defines when and how covered entities should implement procedures to protect data. What it doesn't describe, however, is specific technologies to achieve this goal.
So, why doesn't the HIPAA Security Rule provide more detailed instructions on how to protect patient information from unauthorized access or disclosure? As noted on the Health and Human Services (HHS) website, the Security Rule deals specifically with Electronic Protected Health Information (eHI), which is in essence a subcategory of the Privacy Rule. The HIPAA Privacy Rule deals with a more generalized category of Protected Health Information (PHI), including both physical data and electronic.
Surprisingly, the Security Rule is only about 8 pages long, making it relatively easy for covered entities to read and familiarize themselves with. But just because it's short doesn't necessarily mean that it's easy to understand. On the contrary, since the wording used in the HIPAA Security Rule is generalized, it leaves many issues open for interpretation, such as what procedures and safeguards covered entities should use exactly.
Of course, there's a good reason why the HIPAA Security Rule doesn't provide clearer and more descriptive guidance on the use of specific technologies. Because this Rule deals strictly with ePHI, the “best” procedures and safeguards will change on a regular basis. The HHS even published a reason as to why the Security Rule standards don't require specific technologies, saying “Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.”
In other words, technology in the healthcare sector is constantly growing and evolving. And if the HIPAA Security Rule forced covered entities to use a specific procedure or safeguard, it could restrict this growth. So for now, the HIPAA Security Rule remains somewhat broad and open for interpretation, without forcing covered entities to use specific technologies to protect their ePHI from unauthorized access or disclosure.