Getty Images

NIST Seeks Feedback on Guide to Implementing HIPAA Security Rule

Industry stakeholders are being urged to comment on proposed changes to the NIST HIPAA Security Rule resource guide, including its uses and applications.

NIST announced it plans to update its Introductory Resource Guide for Implementing the HIPAA Security Rule and is seeking comment from industry stakeholders on proposed changes, including insights into real-world applications.

In its current form, the insights “discuss security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule.”

“[It] was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule,” according to officials.

As its cybersecurity resources have evolved since the guide was initially published in 2008, NIST explained that the industry will benefit from an updated resource from provided stakeholder feedback.

NIST is urging stakeholders to provide insights on the guide’s purpose to inform readers on the information security terms outlined in HIPAA and to increase overall awareness of NIST-provided cybersecurity resources that are pertinent to the Security Rule.

Stakeholders are also asked to provide relevant resources available to the industry that stem from other cybersecurity sources.

Specifically, officials are hoping to benefit from comments based on real-world uses to better shape the framework and explore where improvements could be made.

Stakeholders are asked to describe how the resource is used within their organization, as well as the least-useful components and the reasons behind the response. NIST also asks for leaders to share key concepts that they feel the guide is missing and why those topics are needed.

NIST is also asking for insights into how the resource can be made more effective, relatable, or actionable, based on the audience, such as smaller healthcare organizations, health plans, or even clearinghouses.

The agency is also seeking insights into the benefits or drawbacks entities have faced when aligning the resource guide with other standards or guidelines. Stakeholders should also provide comments on what elements should remain unchanged and those that need a more frequent update.

Stakeholders are also being asked to shed light on the resources they used for implementing the HIPAA Security Rule, in addition to how entities simultaneously manage compliance and security, assess PHI risk, and analyze the effectiveness of security measures.

Those entities with recognized security practices are also being urged to shed light on their processes for documenting the process of demonstrating adequate implementation and how they either overlap or diverge from HIPAA Security Rule compliance.

Stakeholders are also asked to provide relevant resources available to the industry that stem from other cybersecurity sources. NIST is also seeking input on implementation guidance for covered entities and business associates.

Comments will be accepted until June 15, 2021 and will be incorporated into a planned update to the guidance, where applicable. NIST will then publish draft guidance for public review and further comment.

The effectiveness, or lack thereof, of HIPAA has been under the microscope in recent years, as the use of health apps and other digital technologies play a more prevalent role in healthcare. As HIPAA went into effect before these high-tech tools, the rule is lacking some critical components to building an effective privacy and security program.

The Department of Health and Human Services has proposed amendments to the rule that would address these gaps, but it will take Congressional action to move the needle, in the long term. 

In the interim, free resources, such as those from NIST and the Healthcare and Public Health Sector Coordinating Council (HSCC), can help support organizations attempting to bolster their security programs.

Next Steps

Dig Deeper on HIPAA compliance and regulation