The Office for Civil Rights (OCR) recently released a “crosswalk” that tags the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to cybersecurity standards established by the National Institute of Standards and Technology (NIST). These standards – Framework for Improving Critical Infrastructure Cybersecurity – were released by NIST in 2014 as industry-neutral cybersecurity guidelines.
The Security Rule contains required and addressable safeguards that covered entities and business associates must implement to secure electronic protected health information (ePHI) under their purview. The crosswalk provides commentary on how to implement the Security Rule safeguards by grouping the NIST standards with corresponding sections in the Rule. For example, the Security Rule requires a covered entity or business associate to undertake a risk analysis to determine its potential vulnerabilities to ePHI. However, the Rule does not elaborate on what steps the business must take to comply with this requirement. The crosswalk, however, provides 13 actions the entity can take, such as inventorying software platforms and applications, in order to fulfill this obligation.
TIP: While OCR cautioned that following the crosswalk does not guarantee HIPAA compliance, it does provide greater context for the regulator’s expectations under the Security Rule. This is especially valuable given that many of OCR’s recent settlements have focused on the failure to appropriately implement Security Rule requirements.