At the heart of HIPAA lies a set of core security tenets for which every affected organization is responsible. These fundamentals are absolutely non-negotiable – but the Security Rule as a whole actually allows for a certain degree of flexibility in how requirements are implemented.