Updated HIPAA Cybersecurity Resource Guide Released

In February 2024, HHS and the National Institute of Standards and Technology (NIST) released an updated cybersecurity resource guide to help HIPAA-regulated entities, which include group health plans and their business associates, comply with the HIPAA Security Rule (the Security Rule). This practical guide is organized into five main sections, followed by a wide variety of related resources in the appendices.

Section 1, the introduction, explains the purpose of the guide and outlines its contents. Specifically, the guide is designed to assist regulated entities in their understanding and implementation of the Security Rule but does not replace, modify, or supersede the Security Rule itself. The guide provides a brief overview of the Security Rule, information on assessing and managing cybersecurity risks, and considerations for implementing an information security program.

Section 2 provides a brief overview of the Security Rule, which all regulated entities must comply with. The Security Rule focuses on safeguarding electronic protected health information (ePHI). The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Each regulated entity must develop a compliance approach that is tailored to their size, environment, and circumstances.

Sections 3 and 4 focus on risk assessment and management, which provide the foundation for a regulated entity’s Security Rule compliance efforts and the protection of ePHI. A risk assessment identifies conditions where ePHI could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. As explained in the guide, a regulated entity’s risk assessment process requires an understanding of where ePHI is created, received, maintained, processed, and transmitted, including by portable computing devices, remote workers, and service providers (e.g., cloud service providers). A regulated entity should identify all reasonably anticipated threats to ePHI (e.g., via phishing, ransomware, or insiders) and any vulnerabilities (e.g., in an information system) that could be exploited. The regulated entity should determine the likelihood of a vulnerability being exploited and the risk level and potential impacts.

The risk management process requires regulated entities to implement policies and procedures to prevent, detect, contain, and correct security violations. Ultimately, the regulated entity’s risk assessment processes should inform its decisions regarding the implementation of necessary security measures to reduce risks to ePHI. The risk assessment and management processes should be documented, including the analyses, decisions, and any adjustments to security controls.

Finally, Section 5 provides guidance to help regulated entities comply with security standards and implementation specifications required by the Security Rule. The guidance, which is presented in tabular format, specifies key activities, descriptions, and sample questions for each standard that a regulated entity can review “through the lens of its own organization.”

Group health plans and business associates may find the updated NIST guide (and significant resources referenced in the appendices) very useful for understanding and complying with the Security Rule. These regulated entities should work with their information technology support teams to determine if their current risk assessment and management procedures are adequately tailored to address potential cybersecurity threats to ePHI.

Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide (NIST SP 800-66r2) »