NIST Revised Guidance on Compliance with the HIPAA Security Rule

The National Institute of Standards and Technology (NIST) has made updates to its guidance for HIPAA-covered entities on enforcing the HIPAA Security Rule to better secure patients’ personal data and protected health information (PHI).

The Security Rule of the Health Insurance Portability and Accountability Act created national criteria for securing the electronic protected health information (ePHI), which HIPAA-covered entities generate, acquire, keep or transmit. Making sure of compliance with the HIPAA Security Rule is more vital than ever because of the growing cases of cyberattacks on HIPAA-covered entities.

NIST publicized the first update of its HIPAA Security Rule guidance in 2008, which is 6 years prior to the launching of the NIST Cybersecurity Framework. In the last 14 years, NIST has published other cybersecurity guidance and has frequently revised its Security and Privacy Controls (NIST SP 800-53). One major reason for upgrading the HIPAA Security Rule guidance was to incorporate it into NIST guidance that is not available at the time the first Revision was publicized in 2008.

NIST cybersecurity specialist Jeff Marron states that one primary objective is to help make the revised publication into a resource guide. The modification is more useful so healthcare companies can enhance their cybersecurity posture and adhere to the Security Rule.

NIST has drawn the parts of the HIPAA Security Rule to the NIST Cybersecurity Framework subcategories, the settings in NIST SP 800-53, have heightened the importance of the risk management aspect of the guidance, and has incorporated business risk management principles. NIST has additionally considered the responses obtained from healthcare business stakeholders in its pre-draft asking for responses.

The most recent change is much more refreshing than a complete change. The framework of the guidance has merely been modified a bit with the content up-graded to have a greater impact on the evaluation and management of threats to ePHI

The NIST gives a resource that could assist in putting into action the Security Rule in your own company, which could possibly have certain needs. Our purpose is to provide guidance and resources that you could employ in the readable publication.”

NIST is going to accept responses on the current guidance – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2) – up to September 21, 2022.

About Christine Garcia 1312 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at