privacy and security NIST

NIST and HIPAA Risk Analysis

HIPAA myths are risky. Don’t be misled by inaccurate statements on the internet about HIPAA shortcuts. The Office for Civil Rights (OCR), the agency that enforces HIPAA, warns that following the “NIST CSF” process does not replace a complete HIPAA Risk Analysis.

Prevent Cybercrime by Following HIPAA the Right Way

Cybercrime is exploding and IT professionals continue to look for ways to defend against attacks and theft. The National Institute of Standards and Technology (NIST) is an important resource for the IT profession, with expert advice and guidance. NIST is a non-regulatory agency of the U.S. Department of Commerce leading innovation in science, engineering and measurements, as well as information technology. If you follow NIST, your organization will be better protected. However, in healthcare, it’s not the whole story.

Healthcare organizations are a prime target for cybercriminals. According to the FBI, medical identity is worth 50 times more than a social security number or a credit card number because it can be used to reap greater profits in insurance and Medicare fraud. Adding to healthcare cybercrime growth is ransomware, with organizations paying ransom to criminals to unlock stolen data. Cybercrime has become a growth business.

A better idea is for healthcare organizations to follow HIPAA, because HIPAA rules are a blueprint for stopping cybercrime. And a central component of all the HIPAA rules and full compliance is Risk Analysis-Risk Management that includes the NIST process. A security risk assessment recommended by NIST is one slice of a full HIPAA Risk Analysis. Add to the security risk assessment all the requirements of the Privacy and Breach Notification Rules before saying you’re done.

Prevention by following all the rules is less expensive than massive disruption caused by a cyber attack.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) establishes voluntary guidance to help organizations reduce cybersecurity risk.

NIST defines ‘cybersecurity’ as:

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

Therefore, CSF guidance exclusively applies to the security of data maintained or transmitted by electronic media. With respect to HIPAA, CSF guidance relates to Protected Health Information (PHI) maintained or transmitted electronically. HIPAA defines this information as Electronic Protected Health Information (ePHI). Standards for the protection of ePHI, the category of data addressed by the NIST CSF are set forth in only one of the HIPAA Rules, the HIPAA Security Rule.

We often hear from IT professionals that they’ve completed the security risk assessment, so their healthcare organization is HIPAA compliant, but more needs to be done to address ALL the HIPAA rules and meet OCR requirements.

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework

The Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services administers and enforces the HIPAA Rules. OCR developed a matrix called a ‘crosswalk’ comparing HIPAA Security Rule standards to the NIST CSF. OCR said the crosswalk may help organizations identify potential gaps in their programs. But it’s not everything.

The resulting ‘crosswalk’ highlights similarities and differences between Security Rule standards and the CSF and warns:

Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not. HIPAA covered entities and business associates cannot rely entirely on the crosswalk for compliance with the Security Rule.


Users who have aligned their security program to the NIST Cybersecurity Framework should not assume that by so doing they are in full compliance with the Security Rule. Conversely, the HIPAA Security Rule does not require covered entities to integrate the Cybersecurity Framework into their security management programs.

Scope of NIST CSF is Limited Compared to Scope of HIPAA Rules


The NIST CSF is designed specifically to enhance America’s cybersecurity infrastructure.  In other words, its scope is limited to protection of data maintained or transmitted electronically.


HIPAA differs from the NIST CSF in two important ways.

The HIPAA Rules apply:

  1.  to the security and privacy of a narrow category of data: individually identifiable health information; and
  2. to PHI that is maintained or transmitted in any form or medium including but not limited to electronic media.

Scope of The HIPAA E-Tool®

The HIPAA E-Tool® covers all standards, implementation specifications and requirements of the HIPAA Privacy, Security and Breach Notification Rules and every policy and procedure has an exact citation to the applicable law. There is no crosswalk between the NIST CSF and the HIPAA Privacy or Breach Notification Rules because CSF subject matter relates only to elements of the HIPAA Security Rule. And the HIPAA Privacy Rule is the most important and fundamental HIPAA Rule.

The HIPAA Rules Fully Covered in The HIPAA E-Tool®

Privacy Rule

The HIPAA Privacy Rule is the basic HIPAA Rule. It establishes:

  1. Permitted and required uses and disclosures of all PHI maintained or transmitted in any form or medium;
  2. The rights of an individual with respect to his or her own PHI; and
  3. Requirements for administrative, technical and physical safeguards to protect the privacy of PHI.

Security Rule

The HIPAA Security Rule establishes standards focused exclusively on the protection of ePHI. And the purpose of Security Rule standards is to protect against uses or disclosures of ePHI that are not permitted or required by the HIPAA Privacy Rule.

Breach Notification Rule

The HIPAA Breach Notification Rule applies only to the acquisition, access, use, or disclosure of PHI not permitted by the Privacy Rule.

Risk Analysis – Risk Management Module Incorporates NIST and Ties it All Together

The interactive risk assessment tool The HIPAA E-Tool® creates a Risk Management Plan compliant with all the HIPAA Rules. It’s saved in the cloud, and when you use the archive feature, you can return to it year after year, adding edits and tweaks, instead of starting from scratch.

Special Feature of The HIPAA E-Tool® – OCR HIPAA Audit Protocols

Section 8 of The HIPAA E-Tool® has all 180 HIPAA compliance audit protocols (questions and document requests) covering the HIPAA Privacy, Security and Breach Notification Rules. It is organized by rule, each with a clickable table of contents. Individual audit protocols are accompanied by one or more clickable links to the policy, procedure or form needed to demonstrate compliance and satisfactorily respond to the protocol. This feature is not available anywhere else.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU