HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

What are technology-neutral standards? 

Written by Kirsten Peremore | Jan 9, 2025 3:18:15 AM

The HHS Security Series notes, “When the final Security Rule was published, the security standards were designed to be “technology neutral” to accommodate changes. The rule does not prescribe using specific technologies so that the health care community will not be bound by specific systems and/or software that may become obsolete.” 

Technology neutrality allows healthcare entities to explore technological solutions without being restricted to specific tools or systems. For instance, while encryption is recommended for protecting electronic protected health information (ePHI), organizations are not confined to a single method of implementing encryption. Flexibility allows organizations of different sizes to implement security measures that are reasonable and appropriate for their size and available resources. 

 

The benefits of technology neutral standards 

  1. Technology neutral standards allow healthcare organizations to select the technologies that best fit their needs without being bound to particular systems or software.
  2. By not favoring specific technologies, HIPAA promotes an environment where innovation can thrive. Healthcare organizations can explore new solutions that improve workflows, patient communication, and data management.
  3. Organizations can avoid the costs associated with implementing specific mandated technologies that may not align with their operational realities.
  4. Technology neutral standards require organizations to conduct thorough risk assessments and implement appropriate safeguards tailored to their unique environments.
  5. By focusing on outcomes rather than specific technologies, these standards contribute to regulatory stability. They reduce the need for frequent updates to regulations as new technologies emerge. 

 

The challenges

The lack of prescriptive guidelines can result in a reliance on subjective risk assessments, where organizations can underestimate their security responsibility. For example, during the pandemic, many providers adopted telehealth solutions without fully understanding the implications of data security and privacy. The standards also create the potential for disparities in compliance efforts among smaller practices that lack the expertise to navigate security requirements. 

 

How healthcare organizations can implement technology neutral standards 

  1. Organizations should start by conducting risk assessments to identify vulnerabilities in their systems and determine the appropriate safeguards for the protection of ePHI. 
  2. The next step is the development of policies and procedures that reflect their chosen technologies and security measures. Every process involved in this step should be documented. 
  3. When using third-party services like HIPAA compliant email platforms or telehealth services, a business associate agreement (BAA) should be in place. 

 

FAQs

How would healthcare organizations benefit from more targeted technological standards? 

Targeted technological standards provide clear guidelines that help organizations implement technology that aligns with specific compliance requirements instead of the uncertainty of neutrality standards. 

 

What is the consequence of the removal of addressable and required implementations?

Without clear distinctions between addressable and required implementation when accompanied by targeted standards takes away some uncertainty in the context of compliance.