The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR)  recently released a “crosswalk” developed with the National Institute of Standards and Technology (NIST) mapping  the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the NIST Framework for Improving Critical infrastructure Cybersecurity (the Framework).  This crosswalk was developed in order to assist healthcare organizations improve cybersecurity preparedness by using the Framework as a common language.  The crosswalk also includes mappings to other commonly used security frameworks.

The NIST Framework was released in 2014 in order to provide a voluntary framework to assist companies in reducing cyber risks to critical infrastructure.  This Framework has been voluntarily adopted as the standard for companies to follow when evaluating cybersecurity issues across various industries, including the healthcare industry.  Companies subject to HIPAA must implement strong security safeguards to comply with the HIPAA Security Rule and many have adopted the NIST Framework to do so.

This crosswalk should can as a tool for covered entities and business associates to evaluate potential gaps in HIPAA compliance and steps necessary to achieve compliance with  HIPAA obligations.   While the HIPAA Security Rule does not mandate use of the NIST Framework nor does compliance with the NIST Framework guarantee HIPAA compliance, the crosswalk allows companies to identify and manage security risks in a comprehensive way.