Getty Images

HHS, NIST Finalize Joint HIPAA Security Rule Guidance

The revised publication, issued by NIST and OCR, aims to help covered entities and business associates comply with the HIPAA Security Rule and manage risks to PHI.

The HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) published the final version of Special Publication (SP) 800-66 Revision 2, aimed at helping covered entities and business associates better understand and comply with the HIPAA Security Rule.

Originally published in 2008, HHS and NIST issued a draft revision of SP 800-66 in July 2022 with the goal of making the publication more actionable. The final version serves as a resource guide and maps the HIPAA Security Rule’s standards to the NIST Cybersecurity Framework subcategories.

“The Security Rule is flexible, scalable, and technology-neutral. For that reason, there is no one single compliance approach that will work for all regulated entities,” the publication states.

“This publication presents guidance that entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the Security Rule.”

Throughout the document, NIST and HHS provided suggestions for cybersecurity measures that can help covered entities and business associates assess and manage risks to electronic protected health information (ePHI).

For example, the publication includes a detailed explanation of risk management requirements under HIPAA and walks covered entities through the process of determining risks to ePHI in accordance with organizational risk tolerance.

“Some threat/vulnerability pairs may indicate a moderate or high level of risk to ePHI, while others may indicate a low level of risk to ePHI,” the document notes.

“The regulated entity will need to determine what risk rating poses an unacceptable level of risk to ePHI, and any threat/vulnerability pairs that indicate a risk rating above the organizational risk tolerance will need to be addressed. If using a scale of ‘low,’ ‘moderate,’ and ‘high,’ the regulated entity may determine that any moderate or high level of risk to ePHI is unacceptable and must be remediated.”

Essentially, covered entities can use this guidance to inform risk mitigation strategies and compliance efforts.

In addition to the updated publication, NIST published a list of government resources, such as guides, templates, and tools, that covered entities can use to further enhance their HIPAA Security Rule compliance and risk reduction efforts.

The list includes links to key guidance documents such as the Health Industry Cybersecurity Practices (HICP) as well as reliable resources like the MITRE ATT&CK knowledge base.

What’s more, NIST updated its Cybersecurity and Privacy Reference Tool (CPRT), which clearly and concisely outlines HIPAA Security Rule regulations.

The joint publication by NIST and OCR is the latest in a string of new guidance and efforts by federal entities to bolster healthcare cybersecurity following the release of HHS’ healthcare cybersecurity strategy and President Biden’s National Cybersecurity Strategy.

Next Steps

Dig Deeper on HIPAA compliance and regulation