Draft HIPAA Security Rule

The NIST has released an initial draft of HIPAA Security Rule: A Cybersecurity Resource Guide (an update on 2008 NIST Guide) for public comment.

This Guide provides guidance on assessing and managing risks to electronic protected health information (ePHI), identifies typical activities that a regulated entity might consider implementing as part of an information security program, and includes additional resources that regulated entities may find useful in implementing the Security Rule, such as a crosswalk between the HIPAA Security Rule standards and NIST Cybersecurity Framework.

NIST has broken each HIPAA Security Rule standard down by key activities that a regulated entity may wish to consider implementing, adding a detailed description, and providing sample questions that a regulated entity might ask itself to assist in implementing the Security Rule.

NIST provides sample questions such as:

1. Who in the organization is responsible for overseeing the security policies, conducting the risk assessment and risk management, handling the results of periodic security evaluations and continuous monitoring, and directing IT security purchasing and investment?
2. Does the security official have adequate access and communications with senior officials in the organization?
3. Who in the organization is authorized to accept risks from systems on behalf of the organization?

This detailed guidance for each HIPAA Security Rule standard will be helpful for regulated entities struggling to adopt it with only the language in the HIPAA Security Rule and Office for Civil Rights (OCR) guidance on the same.

Risk Assessment Guidelines

The Risk Assessment Guidelines section of the Resource Guide provide a methodology for conducting a risk assessment.

1. Prepare for the Assessment.
2. Identify Realistic Threats.
3. Identify Potential Vulnerabilities and Predisposing Conditions.
4. Determine the Likelihood of a Threat Exploiting a Vulnerability.
5. Determine the Impact of a Threat Exploiting a Vulnerability.
6. Determine the Level of Risk.
7. Document the Results.

Similar to previous OCR guidance, NIST reminds regulated entities the risk assessment is an ongoing activity, not a one-time, static task, and must be updated on a periodic basis in order for risks to be properly identified, documented, and subsequently managed.

Failure to have a thorough and updated risk assessment is one of the top failures documented by OCR in resolution agreements with regulated entities.

The Resource Guide is still in draft, with NIST continuing to accept public comment on whether the guide is helpful and where there could be improvement through September 21, 2022.