Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Update on the Revision of NIST SP 800-66, Implementing the HIPAA Security Rule
April 25, 2023

NIST to Finalize Special Publication (SP) 800-66 Revision 2 and Collaborate on Resources for Small, Regulated Entities

For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.

Thank you to all who provided feedback during the open comment period; in total, over 250  unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. NIST agrees… and anticipates follow-on work in this area—but NIST can’t do it alone and plans to work collaboratively with other agencies, entities, and colleagues to produce useful resources. Stay tuned for more information about this in the coming months.

NIST and OCR are still in the process of adjudicating the received comments carefully. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 r2 (with the goal being to publish a final version of SP 800-66 r2 later this year).

Thank you for the opportunity to share this update. Feel free to reach out with any questions or comments to (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).
Created April 25, 2023