NIST Updates Impact HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) is comprised of three rules, the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Security Rule sets standards to protect the integrity, confidentiality, and availability of all electronic Personal Health Information (ePHI). The collection of technical, physical, and administrative safeguards that make up the Security Rule is based on NIST SP 800-66. The NIST SP 800-66 framework was written specifically to:

  • Help to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule.
  • Direct readers to helpful information in other NIST publications on individual topics addressed by the HIPAA Security Rule.
  • Aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

NIST 800-66 is getting an update. Revision 2 was released for public comment in July of 2022 and a final version is expected to be published in late 2023.

Based on the public comments, NIST is planning on the following changes for the final version of NIST SP 800-66 Revision 2:

More Specific Resources for Small, Regulated Entities

NIST will collaborate with other public and private entities to help create these resources, which may include tools, use cases, or more specific guidance. The development of these resources will be separate from the final publication of NIST SP 800-66. Look for more information about this in the coming months.

Document Clarification

Many comments asked for clarification on the terms ‘risk analysis’ and ‘risk assessment.’ The term ‘risk analysis’ cannot be eliminated because it is used in the Security Rule. The final publication will consistently refer to risk analysis as it is required by the Security Rule, namely, an accurate and thorough assessment of the threats and vulnerabilities to ePHI. Risk assessment will refer to the process by which a regulated entity can determine the level of risk to ePHI. Draft NIST SP 800-66 Revision 2 provides a risk assessment process that regulated entities may use and small, regulated entities may find benefit in using the HHS Security Risk Assessment (SRA) Tool.

Appendices Adjustments

Revision 2 will make Appendix E – Security Rule Standards and Implementation Specifications Crosswalk more useful. Appendix E maps the Security Rule’s standards and implementation specifications to applicable security controls detailed in NIST SP 800-53, the Cybersecurity Framework (CSF) Subcategories, and other relevant NIST publications. NIST plans to remove the Appendix E mapping from Draft NIST SP 800-66 Revision 2 and place it online on NIST’s Cybersecurity and Privacy Reference Tool (CPRT) website. There will still be Appendix E, but it will only contain a pointer to the mapping stored in CPRT. This will allow the mapping to be updated separately from the SP 800-66 update cycle.

NIST will also merge the existing mapping from Appendix E with the tables of key activities, descriptions, and sample questions for regulated entities in Section 5. The Section 5 tables will remain a useful reference for readers. The mapping hosted in CPRT will be merged with the tables in Section 5, with a few columns added to illustrate for readers the relevant CSF Subcategories, SP 800-53 controls, and other NIST resources that map to each of the Security Rule standards and implementation specifications.

Adjustments to Appendix F – HIPAA Security Rule Resources were made in response to many suggestions to extract the Resources, NIST will move Resources online. Like Appendix E, this change would allow the Resources to be kept up-to-date separate from the NIST SP 800-66 update cycle. Resources will be reorganized within each topic area to progress from more foundational resources to more complex resources, allowing small, regulated entities to focus on the earlier resources within each topic area. A full list of topic areas will be added to the beginning of the resource listing with active links that will take the reader directly to each respective topic area.

CompliancePoint has the healthcare, cybersecurity, and privacy expertise to help your organization achieve and maintain HIPAA compliance. Contact us at to learn more about our suite of services.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.