In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics | Practical Law

In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics | Practical Law

In coordination with the Department of Health and Human Services (HHS), the National Institute of Standards and Technology (NIST) has updated its compliance guide addressing the Security Rule under the Health Insurance Portability and Accountability (HIPAA). The 2024 guide offers drill-down information on complying with the Security Rule's administrative, physical, and technical safeguards for protected health information (PHI) in electronic form.

In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics

Practical Law Legal Update w-042-3977 (Approx. 8 pages)

In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics

by Practical Law Employee Benefits & Executive Compensation
Published on 22 Feb 2024USA (National/Federal)
In coordination with the Department of Health and Human Services (HHS), the National Institute of Standards and Technology (NIST) has updated its compliance guide addressing the Security Rule under the Health Insurance Portability and Accountability (HIPAA). The 2024 guide offers drill-down information on complying with the Security Rule's administrative, physical, and technical safeguards for protected health information (PHI) in electronic form.
HHS's Office for Civil Rights (OCR) has issued the latest version of a compliance guide addressing the HIPAA Security rule, which was developed in coordination with the National Institute of Standards and Technology (NIST) (NIST Special Publication 800-66r2 (Feb. 16, 2024)). NIST is a non-regulatory federal agency and research institute that focuses on how technology can promote economic security. The HIPAA Security Rule specifies a set of administrative, technical, and physical procedures for use by HIPAA covered entities (CEs) and business associates (BAs) in protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).
The 2024 guide is generally organized to track the six core sections of the Security Rule (that is, general standards, administrative safeguards, physical safeguards, technical safeguards, organizational requirements (including BA agreements), and—lastly—policies, procedures, and documentation requirements). After providing a brief overview of HIPAA Security Rule standards, the 2024 guide offers drill-down compliance guidance on:
  • HIPAA's risk assessment and risk management procedures.
  • Considerations in implementing the HIPAA Security Rule, including:
    • detailed tables of key activities, descriptions, and sample questions for various aspects of the Security Rule;
    • steps for use by CEs and BAs in evaluating and managing risks to ePHI; and
    • typical actions that these entities should consider in developing (or expanding) their information security programs.
  • Related resources for Security Rule implementation.
For more information on HIPAA Security Rule compliance, see:

Applicability of 2024 Guide

Although the 2024 guide is for use by CEs and BAs (collectively referred to as "regulated entities"), it does not supplement, replace, or supersede the Security Rule. Moreover, the 2024 guide focuses primarily on Security Rule issues and does not directly address other aspects of HIPAA compliance—including HIPAA's privacy, breach notification, or enforcement rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Breach Notification Rules).

Risk Assessments and Management

One section of the 2024 guide addresses HIPAA risk assessments, which are frequently an action item for CEs and BAs in negotiated HHS/HIPAA settlement agreements (for example, see Legal Update, Stolen Laptop Bag Leads to $750,000 HIPAA Settlement). The 2024 guide first provides definitions of key risk assessment terms, such the meaning of threat events and sources for risk assessment purposes (for example, natural, human, and environmental threats).
The 2024 guide then describes the steps in a comprehensive risk assessment—which a CE or BA can tailor to its own security risk evaluation needs. These steps include:
  • Preparing for the assessment, which requires a CE or BA (among other actions) to understand where within its organization ePHI is created, received, maintained, processed and transmitted.
  • Identifying reasonably anticipated threats to ePHI (for example, a long-term power failure).
  • Identifying possible vulnerabilities to ePHI (for example, a weakness in an information system).
  • Assessing the likelihood that an identified threat will exploit a vulnerability (very low, low, moderate, high, very high).
  • Determining the effect of a threat that exploits a vulnerability (for example, losing system functionality may lead to the loss of productive time).
  • Identifying the level of risk to ePHI (using a risk-level matrix).
  • Documenting risk assessment results (for example, by including risk assessment results in a governance, risk, and compliance (GRC) or enterprise risk management (ERM) tool) (see Enterprise Risk Management Toolkit).
Once a CE or BA has completed its risk assessment, it can meet the risk management requirement by implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable level. In its 2024 guide, NIST takes the view that a risk assessment is not a static, one-and-done endeavor. Rather, a risk assessment may need to be updated periodically as threats change and new vulnerabilities emerge. Among other resources, the 2024 guide cross-references HHS's security risk assessment (SRA) tool as a useful starting point for conducting a risk assessment.
After a CE or BA completes its risk assessment, it is required (under the Security Rule) to adopt security measures adequate to reduce identified risks and vulnerabilities to a reasonable level. A section of the 2024 guide addresses the risk management process. In managing risks to ePHI, the 2024 guide indicates that CEs and BAs should identify their:
  • Risk appetite, generally defined as how much risk the organization's senior leaders will accept in pursuing the organization's objectives.
  • Risk tolerance, which refers to the level of performance risk that is acceptable within an organization's identified risk appetite.
Relatedly, the risk management process generally addresses whether a CE's or BA's implementation of the Security Rule has reduced the risk of identified threats and vulnerabilities to a level that falls within the organization's risk tolerance.
The 2024 guide illustrates this process with an example in which:
The CE in this example could conclude that although the risk of a ransomware attack is still high, the CE's risk management measures have reduced the impact of such an attack to a low level that falls within the CE's risk tolerance. In some cases, according to the 2024 guide, a CE or BA may need to adopt additional security controls to reduce the risk to ePHI—including technical or non-technical controls that are separate from protecting ePHI. As with the risk assessment, a CE's or BA's risk management activities should be documented.

Considerations in Implementing HIPAA Security Rule

Besides addressing the Security Rule's risk assessment and risk management standards, the 2024 guide presents security measures that reflect each of the core Security Rule standards (that is, administrative, physical, and technical safeguards) (see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Administrative Safeguards). For example, regarding components of the Security Rule's administrative safeguards, the 2024 guide provides key activities, a description of those activities, and sample questions addressing how a given activity can be completed. The key activities, descriptions, and sample questions are provided in a table.

Workforce Security Standard

As one example, the Security Rule's administrative safeguards include a standard concerning workforce security with "implementation specifications" (all addressable, as opposed to required) for:
  • Authorization supervision.
  • Workforce clearance procedures.
  • Termination procedures.
(45 C.F.R. § 164.308(a)(3); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Workforce Security.)
The 2024 guide reflects all three of these Security Rule specifications (and expands on them) in a column of a table that lists the following five key activities:
  • Implement policies and procedures for authorization, supervision, or both.
  • Establish clear job descriptions and responsibilities.
  • Adopt criteria and procedures for hiring and assigning tasks.
  • Establish a workforce clearance procedure.
  • Create termination procedures.
For each of the five stated key activities, a second column of the table provides a description of the activity. For example, the description of adopting criteria and procedures for hiring and assigning tasks includes the following two-part description:
  • Ensure that workforce members possess the requisite skills, knowledge, and abilities to perform their specific roles (that is, for accessing and using protected information).
  • Build in these requirements to the entity's personnel hiring process.
Finally, a third column of the table contains sample questions to advance the key activity of adopting criteria and procedures for hiring and assigning tasks. For example, one question asks whether a candidate's qualifications for a particular role have been cross-checked against the relevant job description.

HIPAA Training

As a second example, the Security Rule's administrative safeguards include a standard concerning security awareness and training with "implementation specifications" (all addressable) for:
  • Security reminders.
  • Protection from malicious software.
  • Login monitoring.
  • Password management.
(45 C.F.R. § 164.308(a)(5); see Practice Note, HIPAA Security Rule: Overview and Administrative Safeguards: Security Awareness and Training.)
The 2024 guide reflects all three of these Security Rule specifications (and expands on them) in a column of a table that lists the following seven key activities:
  • Conduct a HIPAA training needs assessment.
  • Develop and approve a training strategy and a plan.
  • Protect from malicious software, login monitoring, and password management.
  • Develop appropriate awareness and training content, materials, and methods.
  • Implement the training.
  • Implement security reminders.
  • Monitor and evaluate the training plan.
For more information, see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials.
For each of the seven stated key activities, a second column of the table provides a description of the activity. For example, the description for implementing HIPAA training includes the following two-part description:
  • Schedule and conduct the training outlined in the strategy and plan.
  • Adopt reasonable techniques to share the security messages enterprise-wide (for example, through video recordings, screensavers, newsletters, or email blasts).
Finally, a third column of the table contains sample questions to advance the key activity of implementing HIPAA training. For example, one question asks whether all of a CE's or BA's workforce members have received sufficient training commensurate with their security responsibilities within the organization. Another question asks whether the CE or BA has sanctions for workforce members who fail to complete the required training.

Practical Impact

The 2024 guide includes a wealth of information for HIPAA CEs and BAs concerning Security Rule compliance—particularly in its “Considerations” section addressing key activities, descriptions, and sample questions for specific administrative, physical, and technical standards under the Security Rule. But the 2024 guide also comes with disclaimers: NIST itself, as noted, is a non-regulatory agency and the participation of other federal agencies (including HHS/OCR) in developing the 2024 guide should not be viewed as approval of the guide's content.