New guidance to help regulated entities comply with the HIPAA Security Rule has just been published. The HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) issued the final version of Special Publication (SP) 800-66 Revision 2 in mid-February.

The National Institute of Standards and Technology (NIST) provides expert advice and guidance for science and technology professionals, including cybersecurity professionals. NIST is a non-regulatory agency of the U.S. Department of Commerce, leading innovation in science, engineering, measurements, and information technology.

The Abstract of the new SP 800-66 states:

“The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule.”

The SP 800-66 guidance was initially published in 2008; HHS and NIST issued a draft revision of SP 800-66 in July 2022 to make the publication more actionable. This 2024 final version is a resource guide for covered entities and business associates that aligns the HIPAA Security Rule’s standards to the NIST Cybersecurity Framework subcategories.

NIST and HHS provide suggestions in SP 800-66 for cybersecurity measures to help regulated entities assess and manage risks to electronic protected health information (ePHI).

For example, the publication includes a detailed explanation of risk management requirements under HIPAA. It shows regulated entities how to determine risks to ePHI in relation to the entity’s risk tolerance.

The guidance notes there is no one-size-fits-all solution to Security Rule compliance. Instead, regulated entities need to conduct a HIPAA risk analysis and make judgments about how to meet the requirements.

“The Security Rule is flexible, scalable, and technology-neutral. For that reason, there is no one single compliance approach that will work for all regulated entities. This publication presents guidance that entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the Security Rule.”

Cybersecurity Improvements are a National Priority

This SP 800-66 publication from NIST and OCR is the most recent in an array of new guidance from HHS. Noting that the healthcare sector is vulnerable to cyberattacks, HHS has beefed up efforts to strengthen the healthcare sector’s cybersecurity resilience.

In December, HHS published a new Strategy that combines public-private collaboration with incentives and increased enforcement. For example, HHS plans to work with the industry to develop new voluntary Cybersecurity Performance Goals (CPGs). Still, it has also announced that it intends to begin HIPAA audits later this year.

The HIPAA E-Tool® Contains the Audit Protocols

If you need help with HIPAA compliance, we have answers. The HIPAA E-Tool® has step-by-step guidance for compliance with the Privacy, Security and Breach Notification Rules. It also contains a Risk Analysis-Risk Management chapter with all 180 HHS HIPAA Audit Protocols. Get ahead of an audit and prevent a breach with The HIPAA E-Tool®.

 

Free HIPAA Checklist
What best describes you?