OCR Issues Crosswalk Between the HIPAA Security Rule and NIST Cybersecurity Framework

The Department of Health and Human Services’ Office for Civil Rights has recently issued a crosswalk to assist HIPAA covered entities comply with the HIPAA Security Rule and manage cybersecurity risks under the National Institutes of Standards and Technology (NIST) Cybersecurity Framework.

The purpose of the Crosswalk is to help covered entities identify mappings between the Security Rule and the NIST Framework. The Crosswalk can be used by HIPAA covered entities that have aligned their cybersecurity programs to either the HIPAA Security Rule or the NIST Framework. The aim is to help covered entities to identify gaps in those programs and take action to improve cybersecurity protections. By addressing these gaps, covered entities will be able to bolster Security Rule compliance and improve security measures to ensure that ePHI is adequately secured.

Organizations that have developed their security programs to meet the requirements of the HIPAA Security Rule can use the Crosswalk to determine which aspects of the NIST Framework have been met, and which new elements need to be incorporated into their security programs.

The Crosswalk maps each of the administrative, physical, and technical safeguard standards and implementation specifications of the HIPAA Security Rule to relevant subcategories of the NIST Framework. In many cases, HIPAA standards and implementation specifications map to more than one subcategory of the NIST Framework.

The HIPAA Security Rule does not refer to specific technologies. Instead, covered entities should continually assess new technologies and best practices and incorporate these into their security programs as appropriate. The NIST Framework is highly granular and provides much greater detail on the measures that can be adopted by HIPAA covered entities to improve critical infrastructure cybersecurity. Due to the lack of specifics in the HIPAA Security Rule, it can easily be incorporated into more detailed frameworks such as the NIST Cybersecurity Framework.

The OCR points out that covered entities are not required to adopt the NIST Framework in order to comply with the HIPAA Security Rule, although doing so has potential to help them improve their cybersecurity measures and better protect ePHI. HIPAA covered entities are warned that using the NIST Framework to improve security does not guarantee compliance with the HIPAA Security Rule.

Entities that have chosen to align their security programs with the NIST Framework should therefore use the Crosswalk to help ensure they have met the requirements of the HIPAA Security Rule. Organizations that have aligned security programs to the HIPAA Security Rule can use the Crosswalk to help them manage their security risks more effectively.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news