The National Institute of Standards and Technology (NIST) has refreshed its HIPAA Security Rule compliance guidance. The guidance was last updated in 2008 and a lot has changed in the past 14 years ago, including the release of the NIST Cybersecurity Framework. The new guidance serves as a practical guide for the healthcare industry to help with the implementation of the HIPAA Security Rule, to better protect healthcare data from unauthorized access.
A draft version of the guidance – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST SP 800-66 Revision 2) – has been released and NIST is accepting comments until September 21, 2022. Comment was previously sought when creating the revised guidance, and NIST factored in more than 400 responses from healthcare industry stakeholders before releasing the guidance. The guidance is more of a refresh than an overhaul, as the structure of the guidance has largely remained the same, but there are important additions. NIST has also emphasized risk management and has integrated enterprise risk management concepts.
“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.”
The guidance includes a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework and other NIST guidance released that has been released since the last update. In 2021, a change was made to the HITECH Act that called for the HHS’ Office for Civil Rights – the main enforcer of HIPAA compliance – to consider the “recognized security practices” that had been in place continuously for the previous 12 months when making determinations in its enforcement actions.
Adoption of the NIST Cybersecurity Framework is one of the recognized security practices that will be considered, so the guidance will help HIPAA-regulated entities in this regard and potentially avoid certain HIPAA penalties or reduce their severity. OCR will be releasing specific guidance on recognized security practices later this year.
The revised guidance is essential reading for all healthcare organizations and business associates required to comply with the HIPAA Security Rule. OCR’s enforcement activities show that compliance with the HIPAA Security Rule has proven problematic for many HIPAA-regulated entities, with HIPAA Security Rule violations frequently discovered during investigations of data breaches. Healthcare data breaches have also been increasing year over year, with record numbers of hacking incidents now being reported. Compliance with the HIPAA Security Rule will not prevent all data breaches but will prevent many and can greatly limit the severity of data breaches should they occur.