NIST Issues Revised Guidance For HIPAA Security Rule

The National Institute of Standards and Technology (NIST) has issued its updated healthcare cybersecurity and HIPAA Security Rule guidance to help aid health organizations in safeguarding their Protected Health Information. 

The Health Insurance Portability and Accountability Act was introduced to establish national standards for the protection of electronic protected health information that is managed by HIPAA-covered entities. A significant component of the Act is the HIPAA Security Rule, which requires covered entities to implement the appropriate physical, technical, and administrative safeguards in order to ensure the confidentiality, integrity, and availability of the protected health information they maintain. Compliance with the HIPAA Security Rule has become more important than ever as the number of cyberattacks continue to increase. 

In 2008, the NIST issued the first revision of its HIPAA Security Rule guidance. Since then, the NIST has published other cybersecurity guidance and has repeatedly revised its Security and Privacy Controls, including the release of the NIST Cybersecurity Framework. The HIPAA Security Rule was updated in part to include it into NIST guidelines, which had previously not existed when Revision 1 was issued in 2008. The updated guidance will act as a practical framework for HIPAA-regulated entities to implement the HIPAA Security Rule, to better protect healthcare information from unauthorized access. The NIST has opened the draft version of the new guidance up to criticism until September 21, 2022. They maintained that the structure of the guidance has generally remained the same. However, the importance of risk management has been emphasized. 

In 2021, the HHS’ Office for Civil Rights was required to take into account the “recognized security practices” that had been in place consistently for the preceding 12 months as part of an update to the HITECH Act. The adoption of the NIST Cybersecurity Framework is one of the recognized security practices that will be taken into consideration. Therefore, the advice will assist HIPAA-regulated companies in this respect and may help them avoid or reduce HIPAA violation sanctions. The OCR has said a specific guidance will be issued on recognized security practices later this year. 

All HIPAA-regulated entities will be required to comply with the updated guidance upon its publication. The OCR has maintained that ignorance is not a valid excuse for non-compliance. Covered Entities will be required to fully understand and adhere to the new guidance in order to avoid punishment for HIPAA Law violations.