At the end of February, the Department of Health and Human Services (“HHS”) released a table, called a “crosswalk,” that maps standards and implementation specifications of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule to the applicable National Institute of Standards and Technology (“NIST”) Cybersecurity Framework subcategories. The HHS Office for Civil Rights (“OCR”) developed the crosswalk with NIST and the Office of the National Coordinator for Health IT in response to the “increasingly challenging atmosphere” of securing electronic protected health information (“ePHI”).
The HIPAA Security Rule sets forth certain safeguards for ePHI. HIPAA covered entities and business associates must comply with the requirements of the HIPAA Security Rule. The NIST Cybersecurity Framework was designed in February of 2014 to help organizations manage, identify, detect, and respond to cybersecurity risks. The Framework is a voluntary, risk-based approach, and entities within and outside the health care sector have relied on it when implementing and managing their cybersecurity practices.
According to the OCR, the crosswalk provides a helpful roadmap for HIPAA covered entities and business associates to better understand the overlap between the HIPAA Security Rule and NIST Cybersecurity Framework. According to the OCR, “[a]lthough the security rule does not require use of the NIST Cybersecurity Framework, and use of the [F]ramework does not guarantee HIPAA compliance, the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”
In its announcement about the crosswalk, the OCR recognized that health information maintained by health care providers has become an “increasingly attractive target for cyberattacks.” It cited to a July 25, 2015 report in USA Today, which states that the healthcare industry accounts for 42.5% of all data breaches over the last three years. The OCR hopes that entities will use the crosswalk and take action to address any gaps they may have in their cybersecurity programs. Addressing these gaps “can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats.”
The crosswalk may be found here.
Information on the HIPAA Security Rule may be found here.
The NIST Framework may be found here.
Reporter, Jennifer Raghavan, San Francisco, CA, +1 415 318 1234, firstname.lastname@example.org.