NIST: Pre-Draft Call for Comments: Implementing the HIPAA Security Rule (Apr. 29, 2021)
The National Institute of Standards and Technology (NIST) has issued a call for public comments in conjunction with its plan to update “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” (Resource Guide). As background, NIST is a non-regulatory federal agency whose mission consists, in part, of advancing technology in ways that enhance economic security. The Resource Guide was initially published in 2005 and was updated in 2008. For this update, NIST seeks stakeholder input to help educate readers about Security Rule terminology; expand awareness of NIST cybersecurity resources and non-NIST resources relevant to the Security Rule; and provide implementation guidance for covered entities and business associates.
NIST is requesting comments regarding how organizations currently use the Resource Guide and on ways to improve it. Specifically, NIST seeks input regarding—
the most and least used Resource Guide content, and any gaps or omissions;
how to make the Resource Guide more useful and relatable to varied audiences (including health plans and business associates);
benefits or challenges when aligning the Resource Guide with other NIST resources;
components of the Resource Guide that require more frequent updates; and
tools, resources, or techniques currently used to implement the Security Rule (including managing compliance and security simultaneously, assessing risk, identifying appropriate security controls and practices, managing business associates’ compliance, the role of contracts in protecting PHI disclosed to business associates, and communicating Security Rule implementation and compliance to internal and external audiences).
Organizations are also asked to comment on any “recognized security practices” they have implemented and to describe how the practices are documented and how they overlap with and diverge from Security Rule compliance. (The reference to “recognized security practices” relates to recent legislation that requires HHS to consider these practices when determining penalties, conducting audits, and negotiating resolution agreements under the Security Rule.) Comments are due June 15, 2021.
EBIA Comment: As illustrated by recent DOL cybersecurity guidance (see our Checkpoint article), concerns for information security are spreading beyond HIPAA. NIST publications and other resources, such as the cybersecurity framework, provide valuable guidance and insights for those responsible for overseeing cybersecurity programs in any context. Some documents, such as the Resource Guide, are drafted with HIPAA in mind. Others are more generally applicable but can be tailored to HIPAA or other legal requirements (for example, see our Checkpoint article regarding the crosswalk between the cybersecurity framework and the Security Rule). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIX (“Security Requirements: General Concepts”) and XXX (“Core Security Requirements”). See also EBIA’s ERISA Compliance manual at Section XXVIII (“Fiduciary Duties Under ERISA”).
Contributing Editors: EBIA Staff.