Here's what the final HIPAA security rule says about the amount of flexibility your facility is allowed: 45 CFR 164.306(b) (2) -In deciding which security measures to use, a covered entity must take into account the following factors: (i)-The size, complexity and capabilities of the covered entity (ii)-The covered entity's technical infrastructure, hardware and software security capabilities (iii)-The costs of security measures (iv)-The probability and criticality of potential risks to electronic protected health information.