NIST Seeks Comment on Planned Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is considering to revise and update its guidance on enforcing the HIPAA Security Regulation and is in search of feedback from stakeholders on areas of the guidance that must be modified.

NIST released the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – on October 2008. In the past 13 years, cybersecurity has changed and the threat conditions has changed significantly. NIST’s cybersecurity assets have likewise changed throughout that time and a revision to the guidance is already long overdue.

NIST will be changing the guidance to include its new cybersecurity solutions, is going to increase knowledge of non-NIST sources related to compliance with the HIPAA Security Rule, and will revise its observance guidance for HIPAA-covered organizations and business associates.

Particularly, NIST has asked for comment from stakeholders regarding their experiences using and following the resource guide, which includes the parts of the guidance that were helpful and those that were not, together with the reasons why.

NIST would like to find out from covered entities and business associates that have utilized the guidance and have discovered key ideas to be missing, and for stakeholders who observed that the guidance is not applicable to their company to provide data on how it can be made much more relatable, helpful, and actionable to a larger selection of audiences.

Covered entities and business associates have followed the HIPAA Security Law in different means. NIST is looking for data on any tools, resources, and strategies that were followed that have been proven beneficial, and for covered entities that have enjoyed positive results with their compliance plans to share details on how they handle compliance and security at the same time, evaluate risks to ePHI, identify whether the security procedures put in place are efficient at protecting ePHI, and how they document demonstrating sufficient implementation. NIST additionally wishes to hear from any covered entity or business associate that has enforced known security procedures that have diverged from the observance of the HIPAA Security Rule.

Stakeholders are asked to post feedback  until June 15, 2021 for consideration before the proposed update. Submitted remarks will be considered and implemented as much as it is practicable.