Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-66 Rev. 2 (Initial Public Draft)

Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide

Date Published: July 21, 2022
Comments Due: October 5, 2022 (public comment period is CLOSED)
Email Questions to:


Jeffrey Marron (NIST)


The HIPAA Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), as defined by the Security Rule. All HIPAA-regulated entities must comply with the requirements of the Security Rule.

This draft update:

  • Includes a brief overview of the HIPAA Security Rule
  • Provides guidance for regulated entities on assessing and managing risks to ePHI
  • Identifies typical activities that a regulated entity might consider implementing as part of an information security program
  • Lists additional resources that regulated entities may find useful in implementing the Security Rule

NIST would appreciate feedback on the following questions (from the Note to Reviewers section):

  • Do you find the overall organization of the document appropriate? Do you have suggestions for improving the document’s organization?
  • Is it helpful to have the Risk Assessment Guidance and Risk Management Guidance sections sequential? Do you have suggestions for improving these sections and/or making them more useful to regulated entities?
  • Are there Key Activities, Descriptions, and/or Sample Questions that should be added to or removed from the tables in Section 5? Are there specific techniques, threats, or topics that need to be added to Section 5 as Key Activities, Descriptions, and/or Sample Questions?
  • Does the appendix about the National Online Informative References (OLIR) Program help the reader? Is its purpose clear?
  • Is Appendix F helpful in its current format? Are there resources that should be added to or removed from the Appendix? Should Appendix F be reorganized in any way? Does the annotation of the resources help? Are there additional suggestions for improving Appendix F?
  • Are there sections of the publication that would be better extracted from the document and presented elsewhere (e.g., online or as Supplementary Materials hosted on the website)?
  • Are there additional topics that should be included in the main body or appendices?

NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.



administrative safeguards; Health Insurance Portability and Accountability Act; implementation specification; physical safeguards; risk assessment; risk management; Security Rule; standards; technical safeguards
Control Families

None selected


Download URL

Supplemental Material:
NIST news article

Document History:
04/29/21: SP 800-66 Rev. 2 (Draft)
07/21/22: SP 800-66 Rev. 2 (Draft)
02/14/24: SP 800-66 Rev. 2 (Final)


Security and Privacy

general security & privacy

Laws and Regulations

Health Insurance Portability and Accountability Act