The Department of Health and Human Services’ Office for Civil Rights has issued a crosswalk between the NIST Cybersecurity Framework and HIPAA Security Rule to help covered entities assess whether there are any gaps in their compliance programs.
NIST Cybersecurity Framework and HIPAA Security Rule Crosswalk Issued By OCR
The crosswalk between the NIST Cybersecurity Framework and HIPAA Security Rule was developed in conjunction with the HHS Office of the National Coordinator for Health IT and NIST. The crosswalk maps HIPAA standards to the appropriate subcategories in the NIST framework.
The Framework for Improving Critical Infrastructure Cybersecurity issued by the National Institute of Standards and Technology (NIST) in February 2014 was developed to help organizations understand and manage cybersecurity risks more effectively.
Many healthcare organizations choose to follow the NIST Cybersecurity Framework to ensure that ePHI is better protected. However, if a healthcare organization is also covered under the Health Insurance Portability and Accountability Act, that entity must also ensure ePHI is protected in accordance with the HIPAA Security Rule.
The Security Rule requires covered entities to ensure that any data created, received, maintained, or transmitted is protected, and safeguards must be implemented to maintain the confidentiality, integrity, and availability of electronic protected health information.
The HIPAA Security Rule was specifically developed to be technology neutral to enable covered entities to implement new protections to protect ePHI as technology evolves. Because specific protections are not specified in the HIPAA Security Rule, it is straightforward to integrate HIPAA Rules for ePHI into cybersecurity frameworks such as that developed by NIST.
OCR points out in its crosswalk that certain aspects of the HIPAA Security Rule may apply to more than one aspect of the NIST framework, due to the high degree of granularity in the latter. Covered entities are warned that simply aligning an information security program with the NIST cybersecurity framework does not guarantee compliance with the HIPAA. The HIPAA Security Rule crosswalk should help to clear up any confusion in this regard.
The NIST Cybersecurity Framework and HIPAA Security Rule crosswalk can be downloaded from the HHS on this link.