NIST’s guidance, first published in 2005 and last updated in 2008, provides insight and suggestions as to how HIPAA-regulated entities are expected to implement Security Rule requirements. The HIPAA Security Rule generally eschews detailed, prescriptive requirements in favor of broader, higher-level safeguards, allowing HIPAA-regulated entities to adopt a diverse set of approaches in implementing the Rule. NIST’s guidance was intended to help bridge the divide between the high-level Security Rule language and much more detailed NIST cybersecurity guidance. NIST is now updating its HIPAA security guidance to reflect dramatic changes in the cyber risk landscape, numerous NIST cybersecurity-related guidance publications issued over the past 13 years and other “recognized security practices” that are used across the health sector.
NIST is seeking public comment on potential improvements to its guidance and on how HIPAA-regulated entities currently implement the HIPAA Security Rule.
In terms of improving the guidance, NIST would like HIPAA-regulated entities to:
- Describe what content of the Resource Guide is being used and how you are using it.
- Describe what components of the Resource Guide have been least useful to you and why.
- Share any key concepts or topics that you believe are missing from the Resource Guide, including what they are and why they merit special attention.
- Describe how the Resource Guide can be more useful, relatable, and actionable to a variety of audiences (e.g., small health care providers, health plans, health care clearinghouses, business associates).
- Describe the potential benefits or challenges experienced when aligning the Resource Guide more closely with other related standards, guidelines, or resources (e.g., the Cybersecurity Framework; NIST SP 800-37, Risk Management Framework for Information Systems and Organizations; NIST SP 800-30, Guide for Conducting Risk Assessments; NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations).
- Describe which components of the Resource Guide you think are best left as static content that should not change until the next revision and which components could be managed as dynamic content (i.e., require more frequent changes or updates to accommodate new information as it becomes available).
NIST is also seeking information on how HIPAA-regulated entities have implemented the HIPAA Security Rule:
- Describe any tools, resources, or techniques that your organization currently uses or would like to use to implement the HIPAA Security Rule.
- Describe how your organization manages compliance and security simultaneously (i.e., how your organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
- Describe how your organization assesses risk to ePHI (electronic protected health information) and how this assessment leads to the identification of appropriate security controls/practices.
- Describe how your organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often your organization initiates a process to determine such effectiveness.
- If your organization implements recognized security practices, describe how you document the process of demonstrating adequate implementation.
- Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at your organization.
- Describe how your organization manages concerns regarding business associates’ compliance with the HIPAA Security Rule. Describe the role that contracts or other agreements serve in protecting ePHI disclosed to business associates.
- Describe how your organization facilitates communication—both internal and external to the organization—about HIPAA Security Rule implementation and compliance.
NIST has set a June 15, 2021 deadline for public comments, to be submitted by email to email@example.com. HIPAA-regulated entities are advised to consider providing comments in order to help shape the next decade of HIPAA security enforcement activity by clarifying more ambiguous, potentially outdated, or burdensome aspects of the HIPAA Security Rule or further enhancing the agency’s consideration of other security frameworks and standards as “recognized security practices” going forward.
Authored by Marcy Wilder, Paul Otto, and Jacob Wall