Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-66 Rev. 2

Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

Date Published: February 2024

Supersedes: SP 800-66 Rev. 1 (10/23/2008)

Planning Note (02/14/2024):

See NIST’s Cybersecurity and Privacy Reference Tool (CPRT) for the following content:

  • Key activities, descriptions, and sample questions from the tables in Section 5
  • Mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls
  • Listings of NIST publications relevant to each HIPAA Security Rule standard


Jeffrey Marron (NIST)



administrative safeguards; Health Insurance Portability and Accountability Act; implementation specification; physical safeguards; risk assessment; risk management; Security Rule; standards; technical safeguards
Control Families

None selected


Security and Privacy

risk management

Laws and Regulations

Health Insurance Portability and Accountability Act