NIST Releases Guidance for HIPAA Security Rule Implementation

| Author , tagged in hipaa, NIST
Cloudticity, L.L.C.

The guide is designed to help HIPAA regulated entities comply with legal requirements through risk analysis and more.


In mid-February, the Nationalist Institute of Standards and Technology (NIST) in partnership with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released Special Publication 800-66r2, titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

The 122-page document provides a variety of practical advice for HIPAA regulated entities, focusing on risk assessments and risk management, as well as administrative, physical, and technical safeguards. 

Explore the Details

The document aims to support compliance efforts by: 

  • Ensuring organizations are selecting security practices that safeguard ePHI,
  • Informing the development of compliance strategies that are useful for organizations of various size and structure,
  • Providing guidance on best practices for developing and implementing a risk management plan, and
  • Creating appropriate documentation to help organizations demonstrate they are compliant with the HIPAA Security Rule. 

Risk Assessment Guidance

While the HHS OCR does not require organizations to follow any particular risk assessment or management methodology, it’s imperative that organizations carefully work to assess potential vulnerabilities that could lead to improper disclosure or modification. 

NIST recommends organizations take the following steps: 

1. Prepare for the assessment by understanding where ePHI is created, received, maintained, processed, and transmitted physically or through a network. 

2. Identify reasonably anticipated threat events and threat sources, including threats related to confidentiality, integrity, and potential for phishing, ransomware, or an insider threat. 

3. Identify potential vulnerabilities and conditions that could be exploited.

4. Determine the likelihood that a vulnerability or condition could be exploited and provide a rating of the likelihood. 

5. Determine the impact of a threat; some threats may only result in a minor impact, while others could severely harm an organization. 

6. Determine the level of risk, which is the combined rating of the likelihood and impact of a vulnerability or condition. 

7. Document results of the risk assessment. 

Risk Management Guidance 

Once an organization has conducted its risk assessment, it can begin using tools and resources to manage it. NIST recommends organizations implement technical and non-technical controls separate from the protection of ePHI, such as policies, processes, and technology. 

Risk management will vary from organization to organization, and the NIST has released other guiding documents on how organizations can determine the best risk management practices, such as the NIST Risk Management Framework.

Similar to the risk assessment, the NIST strongly advises organizations to document how they manage risk. 

Administrative, Physical, and Technical Safeguards  

The document outlines several safeguards. On the administrative side, the NIST says it's important for administrators to identify ePHI and relevant information systems, conduct the risk assessment and subsequent risk management, acquire information technology systems and services, create proper policies and procedures, and more. 

On the physical side, the NIST recommends organizations conduct an analysis of any physical vulnerabilities, develop a facility security plan, establish contingency operation procedures, identify workstation device types and functions, identify methods of physical access to workstations and risks associated, develop data backup and storage procedures, and more. 

For technical safeguards, the NIST advises organizations to analyze workloads and operations, identify technical access control capabilities, develop access control policies, review and update access for users and processes, determine activities that will be tracked or audited, and more. 

Each safeguard suggestion had specific action steps for organizations and sample questions for those creating safeguards. 

What the Experts Said

The author of the document, Jeffrey Marron of the NIST, notes that the Security Rule is “flexible, scalable, and technology-neutral.” He adds, “For that reason, there is no one single compliance approach that will work for all regulated entities.” 

Marron shares that organizations may adopt parts of the guidance as they are applicable. “While the required standards and implementation specifications [of the Security Rule] are the same for all regulated entities, reasonable and appropriate implementations of such standards and implementation specifications may be different for different organizations.” 

Marron encourages regulated entities to initially focus on building a fundamental risk management process, stating that “Risk assessment and risk management processes are foundational to a regulated entity’s compliance with the Security Rule and the safeguarding of ePHI.”  

How Cloudticity Can Help

Cloudticity, founded in 2011, was the first provider to deploy protected health information workloads on the public cloud. With a HITRUST CSF certified solution, Cloudticity helps organizations align with HIPAA technical requirements, as well as other regulatory frameworks such as FISMA High and NIST 800-53. 

With a focus on security and compliance, Cloudticity keeps up with regulatory trends and security updates, ensuring companies are prepared for the evolving cybersecurity environment. 

While healthcare data breaches are skyrocketing, and the HHS continues to hold companies to high-security standards, Cloudticity has never experienced a breach. We keep your cloud-native workloads secure and compliant so that your company can focus internal bandwidth on solving healthcare problems.  

Reach out for a free consultation.

speak with a healthcare cloud expert


Subscribe Today

Get notified with product release updates and industry news.