As many of you know, HIPAA covered entities and business associates are required to comply with the HIPAA Security Rule, 45 C.F.R. Part 164, subparts A and C. However, depending on the specific business and size of an organization, other optional frameworks and guidance can also help implement the HIPAA Security Rule’s requirements. One of those frameworks is the “Framework for Improving Critical Infrastructure” (CSF), developed by the National Institute of Standards and Technology (NIST). The CSF provides a structured methodology for organizations to manage risk and determine an appropriate level of investment in security. The NIST CSF is a voluntary, risk-based approach to manage cybersecurity risk in a cost-effective manner.

Recognizing the interplay between the HIPAA Security Rule and the CSF, the OCR recently released a mapping of the HIPAA Security Rule standards and implementation specifications to applicable NIST CSF subcategories. This crosswalk will provide useful guidance to entities needing to comply with the HIPAA Security Rule and also looking to use the CSF to manage cybersecurity risk. For more information, see the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, Office for Civil Rights (February 2016).