Rightsizing HIPAA security compliance for smaller organizations.

The HIPAA security and privacy requirements are specifically designed using guidelines rather than hard and fast standards. These guidelines provide flexibility in scaling solutions for small to large organizations to address the law as well as to accommodate advances in technology. However, this very flexibility causes a quandary for smaller organizations because it's unclear how far an organization can scale back and still meet the law's requirements. This is particularly problematic in the security area, where over 20 guidelines permit a wide range of interpretation. This article addresses how much is enough and how to make defensible decisions in HIPAA implementation for smaller healthcare organizations.