Enter to open, tab to navigate, enter to select
HHS issues HIPAA Security Rule Mapping to NIST Cybersecurity Framework
Practical Law Legal Update w-001-4653 (Approx. 5 pages)
HHS issues HIPAA Security Rule Mapping to NIST Cybersecurity Framework
by Practical Law Employee Benefits & Executive Compensation
| Law stated as of 25 Feb 2016 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has issued a chart that identifies mappings between requirements under the HIPAA Security Rule and the voluntary framework for promoting cybersecurity issued by the National Institute of Standards and Technology (NIST).
HHS's Office for Civil Rights (OCR) has announced the release of a chart that identifies "mappings" between the HIPAA Security Rule and the voluntary framework for reducing cyber risks issued by the National Institute of Standards and Technology (NIST) (see Practice Notes, HIPAA Security Rule and The NIST Cybersecurity Framework). Under the HIPAA Security Rule, covered entities and business associates must comply with safeguards for protecting electronic protected health information (ePHI). (Regarding HIPAA covered entities and business associates, see Practice Note, HIPAA Privacy Rule.)
The NIST Cybersecurity Framework (formally known as the Framework for Improving Critical Infrastructure Cybersecurity):
- Was issued in February 2014 in response to Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
- Is intended to help organizations understand, communicate, and manage cybersecurity risks.
- Organizes cybersecurity activities into five key functions, including: identify, protect, detect, respond, and recover.
- Breaks each function down into categories and subcategories that define particular activities, such as inventorying hardware and software, establishing security policy, managing user identities and credentials, and training users.
- Lists informative references, made up of widely-adopted industry standards and best practices, for each of the activities defined in the subcategories.
The new HHS chart expands the Framework's informative references and cross-references:
- Each administrative, physical, and technical safeguard under the Security Rule (see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements).
- The relevant subcategory under the NIST Cybersecurity Framework.
OCR notes that, owing to the greater specificity of the NIST Framework's subcategories, some Security Rule standards map to more than one subcategory.
According to OCR, the mapping chart can assist organizations (including HIPAA covered entities, such as group health plans) that have based their security programs around either the HIPAA Security Rule or the NIST Cybersecurity Framework in:
- Identifying potential gaps in their programs.
- More comprehensively managing security risks in their environments.
- Understanding the overlap between the Security Rule, NIST Framework, and other security frameworks for protecting health data.
For example, a HIPAA covered entity that has built its security program around the Security Rule can use the mapping chart to identify:
- Which elements of the NIST Cybersecurity Framework it already satisfies.
- Additional practices to incorporate into its security program.
The mapping chart also may provide a common language for covered entities and business associates to communicate (both internally and externally) regarding their cybersecurity programs, using the NIST Framework's functions, categories, and subcategories.
Practical Impact
Although the HIPAA Security Rule does not require covered entities and business associates to use the NIST Framework, doing so may provide a useful cross-check in identifying and reducing risk, particularly at a time of increased enforcement actions involving HIPAA compliance (see Practice Note, HIPAA Enforcement: Penalties and Investigations and Legal Update, Malicious Malware Leads to $750,000 HIPAA Settlement).