The HIPAA Security Rule guidelines have recently been updated by the National Institute of Standards and Technology (NIST). The new guidance will help aid HIPAA-regulated companies in safeguarding the protected health information of their patients.
The Security Rule is one of many components to the Health insurance Portability and Accountability Act. The Act was initially introduced to establish national standards for the protection and security of electronic protected health information. This information consists of any individually identifiable information such as name, address, date of birth, Social Security number, and medical information. Organizations who transmit, receive, maintain, or create electronic protected health information are subject to HIPAA law. In order to avoid penalties for noncompliance with HIPAA law, covered entities must make a reasonable effort to implement adequate safeguards for the security of their patient data. Compliance with the HIPAA Security Rule has become more important than ever as the number of cyberattacks continues to increase annually.
The NIST published its first update to the HIPAA Security Rule guidance in 2008. The update came 6 years prior to the introduction of the NIST Cybersecurity Framework. Since then, the NIST has frequently issued more guidance to cybersecurity and often updated its Security and Privacy Controls. The HIPAA Security Rule was updated in part to include it into NIST guidelines, which had previously not existed when Revision 1 was issued in 2008.
In the latest update to the Security Rule guidance, the NIST seeks to adopt the updated publication into a resource guide. The guidance consists of a more actionable approach which will help covered entities to advance their cybersecurity and improve compliance to the Security Rule. The NIST had categorized elements of the Security Rule into their Cybersecurity Framework in order to emphasize risk management and its associated concepts. The NIST has opened their revisions for feedback until September 21, this year. The newest revision has adopted the structure of previous guidance, however the content has been altered to support an increase in focus on risk assessments and management relating to electronic protected health information
