Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

Marron, Jeffrey

doi:https://doi.org/10.6028/NIST.SP.800-66r2.ipd

SP 800-66 Rev. 2 (Draft)

Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

Date Published: July 21, 2022
Comments Due: October 5, 2022 (public comment period is CLOSED)
Email Questions to: sp800-66-comments@nist.gov

Planning Note (4/25/2023):

See an update on the revision of NIST SP 800-66.

Author(s)

Jeffrey Marron (NIST)

Announcement

The HIPAA Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), as defined by the Security Rule. All HIPAA-regulated entities must comply with the requirements of the Security Rule.

This draft update:

Includes a brief overview of the HIPAA Security Rule
Provides guidance for regulated entities on assessing and managing risks to ePHI
Identifies typical activities that a regulated entity might consider implementing as part of an information security program
Lists additional resources that regulated entities may find useful in implementing the Security Rule

NIST would appreciate feedback on the following questions (from the Note to Reviewers section):

Do you find the overall organization of the document appropriate? Do you have suggestions for improving the document’s organization?
Is it helpful to have the Risk Assessment Guidance and Risk Management Guidance sections sequential? Do you have suggestions for improving these sections and/or making them more useful to regulated entities?
Are there Key Activities, Descriptions, and/or Sample Questions that should be added to or removed from the tables in Section 5? Are there specific techniques, threats, or topics that need to be added to Section 5 as Key Activities, Descriptions, and/or Sample Questions?
Does the appendix about the National Online Informative References (OLIR) Program help the reader? Is its purpose clear?
Is Appendix F helpful in its current format? Are there resources that should be added to or removed from the Appendix? Should Appendix F be reorganized in any way? Does the annotation of the resources help? Are there additional suggestions for improving Appendix F?
Are there sections of the publication that would be better extracted from the document and presented elsewhere (e.g., online or as Supplementary Materials hosted on the website)?
Are there additional topics that should be included in the main body or appendices?

NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Abstract

The HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be used by regulated entities of all sizes to protect ePHI and better understand the security concepts discussed in the HIPAA Security Rule.

Keywords

administrative safeguards; Health Insurance Portability and Accountability Act; implementation specification; physical safeguards; risk assessment; risk management; Security Rule; standards; technical safeguards

Control Families

None selected

Documentation

Publication:
SP 800-66 Rev. 2 (Draft) (DOI)
Local Download

Supplemental Material:
NIST news article (web)

Document History:
04/29/21: SP 800-66 Rev. 2 (Draft)
07/21/22: SP 800-66 Rev. 2 (Draft)

Topics

Security and Privacy
general security & privacy

Laws and Regulations
Health Insurance Portability and Accountability Act

Sectors
healthcare