Date Published: July 21, 2022
Email Questions to:
Planning Note (04/25/2023):
The HIPAA Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI), as defined by the Security Rule. All HIPAA-regulated entities must comply with the requirements of the Security Rule.
This draft update:
- Includes a brief overview of the HIPAA Security Rule
- Provides guidance for regulated entities on assessing and managing risks to ePHI
- Identifies typical activities that a regulated entity might consider implementing as part of an information security program
- Lists additional resources that regulated entities may find useful in implementing the Security Rule
NIST would appreciate feedback on the following questions (from the Note to Reviewers section):
- Do you find the overall organization of the document appropriate? Do you have suggestions for improving the document’s organization?
- Is it helpful to have the Risk Assessment Guidance and Risk Management Guidance sections sequential? Do you have suggestions for improving these sections and/or making them more useful to regulated entities?
- Are there Key Activities, Descriptions, and/or Sample Questions that should be added to or removed from the tables in Section 5? Are there specific techniques, threats, or topics that need to be added to Section 5 as Key Activities, Descriptions, and/or Sample Questions?
- Does the appendix about the National Online Informative References (OLIR) Program help the reader? Is its purpose clear?
- Is Appendix F helpful in its current format? Are there resources that should be added to or removed from the Appendix? Should Appendix F be reorganized in any way? Does the annotation of the resources help? Are there additional suggestions for improving Appendix F?
- Are there sections of the publication that would be better extracted from the document and presented elsewhere (e.g., online or as Supplementary Materials hosted on the website)?
- Are there additional topics that should be included in the main body or appendices?
NOTE: A call for patent claims is included on page v of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
administrative safeguards; Health Insurance Portability and Accountability Act; implementation specification; physical safeguards; risk assessment; risk management; Security Rule; standards; technical safeguards