The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (e-PHI) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities. Covered entities should look to § 164.306 of the Security Rule for guidance to support decisions on how to comply with the standards and implementation specifications contained in § 164.308, 164.310, 164.312, 164.314, and 164.316. In general, this includes performing a risk analysis; implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation. Compliance is not a one-time goal, but an ongoing process. Meeting the requirements set out in the evaluation standard at § 164.308(a)(8) will assist covered entities in maintaining substantial compliance. By performing periodic technical and non-technical evaluations of the information security environment, a covered entity will be able to better ensure the security of e-PHI.