NIST Seeks Feedback on HIPAA Security Rule Implementation Guidance

In 2008, the National Institute of Standards and Technology (NIST) released guidance for HIPAA-covered entities and business associates on implementing the HIPAA Security Rule. The guidance discusses the security considerations and resources that are useful when implementing the requirements of the HIPAA Security Rule.

A lot has changed since 2008. New cybersecurity resources have been published by NIST and cybersecurity best practices have evolved. NIST believes the guidance document is due for an update and comment on the guidance document is now being sought from healthcare industry stakeholders ahead of the update.

While large parts of the guidance document – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – remain relevant today, updated resources need to be included in the guidance, including those provided by NIST and useful resources from non-NIST sources. The guidance document will also benefit from an update to improve usability and relevance to HIPAA-covered entities and business associates of all sizes and types.

NIST wants to know what parts of the guidance have been particularly useful and any parts that have not, along with the reasons why. Covered entities and business associates may feel that key elements of HIPAA Security Rule compliance are missing from the guidance. NIST wants to know about any additional topics that would be relevant and useful.

NIST is seeking feedback on ways the guidance can be made more useful, relatable, and actionable. Healthcare organizations have discovered many ways of meeting the requirements of the HIPAA Security Rule. If those methods deviate from the guidance and have been effective, NIST would like details.

NIST has also asked for comment on any issues that have been had with aligning the Security Rule implementation guidance with other standards or guidelines, and for stakeholders to share any resources they have found useful for implementing the HIPAA Security Rule and simultaneously managing compliance and security, assessing PHI risk, and analyzing the effectiveness of security measures.

It is necessary for healthcare organizations to document how they are demonstrating adequate implementation of the HIPAA Security Rule. NIST wants to know about those processes, and how recognized security practices may overlap with or deviate from HIPAA Security Rule compliance.

All comments received will be in the public domain and will be considered when updating the guidance. NIST will, as far as is practicable, include suggested changes in the updated guidance document.

Stakeholders have until June 15, 2021 to submit their comments and feedback. After the guidance has been updated, a draft will be published for review and further comment.