NIST Releases Final HIPAA Security Rule Implementation Guide

The National Institute of Standards and Technology (NIST) and the HHS Office for Civil Rights (OCR) have released the final version of their HIPAA Security Rule Implementation Guide (Special Publication 800-66, Revision 2). The guidance document was first released in 2008 and was updated in 2022, with the draft version of the updated guidance published in July 2022. The guidance serves as a crosswalk between the NIST Cybersecurity Framework (CSF) and the HIPAA Security Rule and maps the HIPAA Security Rule standards to the subcategories of the NIST CSF.

The updated guidance can be used by HIPAA-regulated entities in whole or in part to improve their cybersecurity posture and will help them to achieve and maintain compliance with the Security Rule. OCR’s HIPAA audits and investigations of data breaches have revealed common areas of noncompliance, one of the most common being the risk analysis. In the last round of HIPAA audits in 2017, no audited entity was fully compliant with the risk analysis requirements of the HIPAA Security Rule.

The HIPAA Security Rule Implementation Guide explains the HIPAA risk analysis requirements and offers advice on how to conduct a HIPAA risk assessment to identify threats and vulnerabilities to electronic protected health information, including the identification of reasonably anticipated threats, determining the likelihood that a threat will exploit a vulnerability, the impact of exploitation of a vulnerability, and the level of risk of each vulnerability.

By following the recommendations, vulnerabilities can be assigned a risk rating which will allow HIPAA-regulated entities to prioritize their remediation efforts. Regulated entities will need to determine which risk ratings pose an unacceptable risk to ePHI and must therefore be addressed. For instance, they may determine that vulnerabilities that only have a low-risk rating do not need to be addressed, and will therefore need to prioritize and remediate all other risks. The guidance also offers suggestions on how HIPAA-regulated entities can manage risks to ePHI and reduce them to an acceptable level.

The guidance also offers suggestions and considerations when implementing the various requirements of the HIPAA Security Rule, and links to important resources such as OCR guidance, the Health Industry Cybersecurity Practices (HCIP), and the MITRE ATT&CK knowledge base. NIST has also updated its Cybersecurity and Privacy Reference Tool, which summarizes the requirements of the HIPAA Security Rule.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: