One can implement HIPAA in a proprietary manner or use standards, in particular DICOM, and the profile definitions as described in IHE.  To provide a homogeneous and consistent infrastructure that can  facilitate different vendors, it makes sense to use standard solutions.

Security implementation on a device is typically divided into four categories.  One of the four categories is Authorization.

After a system has determined a person's identity, the next step is to find out what information he or she has access to, based on a certain user profile or role.  For example, a file room clerk will most likely have a different profile from a nurse.  This is known as role based authorization.