The National Institute of Standards and Technology (NIST) has released the second revision of its HIPAA Security Rule cybersecurity resource guide – a document intended to help HIPAA-regulated entities achieve and maintain compliance with the HIPAA Security Rule. The guidance document was last updated in 2008 before the release of the NIST Cybersecurity Framework. The update includes a crosswalk between the NIST Cybersecurity Framework and the HIPAA Rule, and links with aspects of other NIST publications that have been released by NIST since the last revision, including the Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53 – revision 5).
The HIPAA Security Rule is concerned with ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI), which is any personally identifiable information related to the past, current, or future health or mental health of an individual. The updated guidance is more of a refresh than an overhaul, as the structure of the document has largely remained unchanged. “One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST information technology specialist. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule.”
In addition to mapping the HIPAA Security Rule to the NIST Cybersecurity Framework, NIST has increased the emphasis on risk assessments and risk management. These are both critical for protecting ePHI and are aspects of HIPAA compliance that many HIPAA-regulated entities struggle with. The enforcement actions by the HHS’ Office for Civil Rights and its audit program have uncovered many cases of HIPAA-regulated entities being non-compliant with these HIPAA provisions.
According to NIST, the updated guidance “provides foundational information about risk assessment and an approach that regulated entities may choose to use in assessing risk to ePHI.” The guidance will help HIPAA-regulated entities conduct risk assessments, identify potential threats, document those threats, and prioritize the management of those threats. The guidance document is not intended to be a checklist for ensuring compliance with the HIPAA Security Rule but does contain valuable information to make HIPAA Security Rule compliance easier to achieve.
NIST is now accepting comments on the draft version of the updated guidance document – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (SP 800-66r2). NIST has detailed the most significant changes in the “Note to Reviewers” section of the guidance, where seven questions are included related to the specific sections of the guidance where NIST is seeking comments. Comments on the draft version of SP 800-66r2 will be accepted until September 21, 2022.