U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-66 Rev. 2 (Draft)

PRE-DRAFT Call for Comments: Implementing the HIPAA Security Rule

Date Published: April 29, 2021
Comments Due: July 9, 2021 (public comment period is CLOSED)
Email Questions to: sp800-66-comments@nist.gov

Planning Note (6/2/2021): The due date for submitting comments has been extended to July 9, 2021 (it was originally June 15, 2021).

Announcement

Summary

NIST is planning to update NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”). NIST’s cybersecurity resources have evolved since SP 800-66, Revision 1, was published in 2008, and stakeholders will benefit from guidance that includes references to these updated resources. The public is invited to provide input by June 15, 2021 July 9, 2021 for consideration in the update. 

Details

The list of topics below covers the major areas in which NIST is considering updates, including improvements to the guide and awareness, applications, and uses for the guide. NIST is seeking stakeholder input on the purpose of the Resource Guide to educate readers about information security terms used in the HIPAA Security Rule, amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule, amplify awareness of non-NIST resources relevant to the HIPAA Security Rule, and provide detailed implementation guidance for covered entities and business associates.

Comments received by the deadline will be incorporated to the extent practicable. Once completed, the resulting draft of SP 800-66, Rev. 2, will be provided for public review and comment.

The comment period is open through June 15, 2021 July 9, 2021. Submit comments to sp800-66-comments@nist.gov with “Resource Guide for Implementing the HIPAA Security Rule Call for Comments” in the subject field.

Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered. 

A. Improvements to An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The following topics are intended to help NIST learn about experiences in applying and using An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (“Resource Guide”) and explore opportunities for improvement. 

  • Describe what content of the Resource Guide is being used and how you are using it.
  • Describe what components of the Resource Guide have been least useful to you and why.
  • Share any key concepts or topics that you believe are missing from the Resource Guide, including what they are and why they merit special attention.
  • Describe how the Resource Guide can be more useful, relatable, and actionable to a variety of audiences (e.g., small health care providers, health plans, health care clearinghouses, business associates).
  • Describe the potential benefits or challenges experienced when aligning the Resource Guide more closely with other related standards, guidelines, or resources (e.g., the Cybersecurity Framework; NIST SP 800-37, Risk Management Framework for Information Systems and Organizations; NIST SP 800-30, Guide for Conducting Risk Assessments; NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations).
  • Describe which components of the Resource Guide you think are best left as static content that should not change until the next revision and which components could be managed as dynamic content (i.e., require more frequent changes or updates to accommodate new information as it becomes available).
B. Application, Implementation, and Uses of An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Covered entities and business associates have diverse ways of implementing the HIPAA Security Rule. NIST solicits information about how organizations are implementing the Resource Guide, its application, and its use in practice.

  • Describe any tools, resources, or techniques that your organization currently uses or would like to use to implement the HIPAA Security Rule.
  • Describe how your organization manages compliance and security simultaneously (i.e., how your organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
  • Describe how your organization assesses risk to ePHI (electronic protected health information) and how this assessment leads to the identification of appropriate security controls/practices.
  • Describe how your organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often your organization initiates a process to determine such effectiveness.
  • If your organization implements recognized security practices,[1] describe how you document the process of demonstrating adequate implementation.
    • Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at your organization.
  • Describe how your organization manages concerns regarding business associates’ compliance with the HIPAA Security Rule. Describe the role that contracts or other agreements serve in protecting ePHI disclosed to business associates.
  • Describe how your organization facilitates communication—both internal and external to the organization—about HIPAA Security Rule implementation and compliance.
 

[1] To amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes, Pub. L. 116-321 (January 5, 2021). Available at https://www.congress.gov/bill/116th-congress/house-bill/7898  

Abstract

Control Families

None selected

Documentation

Publication:
None available

Supplemental Material:
None available

Related NIST Publications:
SP 800-66 Rev. 1

Document History:
04/29/21: SP 800-66 Rev. 2 (Draft)

Topics

Security and Privacy
general security & privacy

Laws and Regulations
Health Insurance Portability and Accountability Act

Sectors
healthcare