OCR Issues HIPAA Security Rule Cybersecurity Implementation Guide
The United States Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) have issued the final version of Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This revised publication, a collaborative effort between NIST and OCR, includes resources for HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates to help their understanding of the HIPAA Security Rule, drive compliance with the law, and bolster security. This is the latest action in this work for the United States Department of Health and Human Services (HHS), who released a Department-wide Cybersecurity strategy for the health care sector in December of 2023, and voluntary performance goals to enhance cybersecurity across the health sector in January 2024. The publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risks to electronic protected health information (ePHI), suggestions for cybersecurity measures and solutions that HIPAA covered entities and business associates might consider as part of an information security program, and resources for implementing the Security Rule. Specific topic areas include:
- Explanations of the HIPAA Security Rule’s Risk Analysis and Risk Management requirements.
- Key Activities to consider when implementing Security Rule requirements.
- Actionable steps for implementing security measures.
- Sample questions to determine adequacy of cybersecurity measures to protect ePHI.
In addition to the publication itself, NIST has also provided supplementary content on its website to further assist HIPAA covered entities and business associates with strategies to improve their cybersecurity in specific areas including:
- Telehealth/Telemedicine
- Mobile Device Security
- Ransomware & Phishing
- Medical Device Security
- Cloud Services
- Internet of Things Used in Healthcare
- Application Security
- Supply Chain
NIST also updated its Cybersecurity and Privacy Reference Tool (CPRT). The CPRT shows HIPAA Security Rule regulations with links to additional NIST tools. OCR also maintains information on its website to assist regulated entities with their obligations to protect ePHI including HIPAA Security Rule Guidance Material and Cybersecurity Guidance Material.